Summary
A vulnerability in the firmware of CHARX SEC-3xxx charging controllers has been discovered.
Impact
The vulnerability can lead to a total loss of confidentiality, integrity and availability of the devices.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 1139022 | CHARX SEC-3000 | Firmware < FW 1.7.4 |
| 1139018 | CHARX SEC-3050 | Firmware < FW 1.7.4 |
| 1139012 | CHARX SEC-3100 | Firmware < FW 1.7.4 |
| 1138965 | CHARX SEC-3150 | Firmware < FW 1.7.4 |
Vulnerabilities
Expand / Collapse allAn low privileged remote attacker with an account for the Web-based management can change the system configuration to perform a command injection as root, resulting in a total loss of confidentiality, availability and integrity due to improper control of generation of code ('Code Injection').
Mitigation
Affected charging controllers are designed and developed for the use in closed industrial networks. Phoenix Contact therefore strongly recommends using the devices exclusively in closed networks and protected by a suitable firewall.
Remediation
Phoenix Contact strongly recommends to upgrade to firmware version 1.7.4 which fixes vulnerability CVE-2025-41699
Acknowledgments
Phoenix Contact GmbH & Co. KG thanks the following parties for their efforts:
- CERTVDE for Coordination (see https://certvde.com/en/ )
- Ryo Kato from Panasonic Holdings Corporation for Reporting.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 07/08/2025 12:00 | Initial Revision |
| 1.1.0 | 10/15/2025 12:00 | Updated the reporting credits, corrected reference token for one product, fixed typo in Document notes |