Back to overview

Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers

VDE-2025-014
Last update
07/08/2025 12:00
Published at
07/08/2025 12:00
Vendor(s)
Phoenix Contact GmbH & Co. KG
External ID
VDE-2025-014
CSAF Document
Download

Summary

Multiple vulnerabilities in the firmware of CHARX SEC-3xxx charging controllers have been discovered.

Impact

The vulnerabilities can lead to a total loss of confidentiality, integrity and availability of the devices.

Affected Product(s)

Model no. Product name Affected versions
CHARX SEC-3000 Firmware <= FW 1.6.5, Firmware < FW 1.7.3
CHARX SEC-3050 Firmware <= FW 1.6.5, Firmware < FW 1.7.3
CHARX SEC-3150 Firmware <= FW 1.6.5, Firmware < FW 1.7.3
CHARX SEC-3150 Firmware <= FW 1.6.5, Firmware < FW 1.7.3

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:57
Severity
8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness
Improper Privilege Management (CWE-269)
References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness
Improper Input Validation (CWE-20)
References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weakness
Improper Input Validation (CWE-20)
References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
5.2 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
References
cve.org | nvd.nist.gov

Mitigation

Affected charging controllers are designed and developed for the use in closed industrial networks. Phoenix Contact therefore strongly recommends using the devices exclusively in closed networks and protected by a suitable firewall.

Remediation

Phoenix Contact strongly recommends to upgrade to firmware version 1.7.3 which fixes vulnerabilities CVE-2025-24005 and CVE-2025-24006. The vulnerabilities CVE-2025-24002, CVE-2025-24003 and CVE-2025-24004 affect the Eichrecht functionality in FW <=1.6.5 and in the meantime there is no vendor fix planned for these issues.

Revision History

Version Date Summary
1 07/08/2025 12:00 Initial Revision