VDE-2025-061 | CERT@VDE

2025-09-08 09:00 (CEST) VDE-2025-061

Bender Charge Controller Vulnerability - Disclosure Of Stored Credentials When Authenticated

Share: Email | Twitter

ID

VDE-2025-061

Published

2025-09-08 09:00 (CEST)

Last update

2025-09-05 11:13 (CEST)

Vendor(s)

Bender GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	CC612	5.30.2 < 5.33.3
	CC613	5.30.2 < 5.33.3
	ICC13xx	5.30.2 < 5.33.3
	ICC16xx	5.30.2 < 5.33.3

Summary

Bender is publishing this advisory to inform customers about a security vulnerability in the Charge Controller product families. Bender has analyzed the weakness and determined that the electrical safety of the devices is not affected. Bender considers the weakness to be of high risk and it should be patched immediately.

CVE ID

CVE-2025-41682

Last Update:

5. September 2025 11:10

Severity

8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Weakness

Insufficiently Protected Credentials (CWE-522)

Summary

An authenticated, low-privileged attacker can obtain credentials stored on the charge controller including the manufacturer password.

Details

cert.vde.com

Impact

The vulnerability allows an authenticated user with lower privileges to obtain credentials stored on the charge controller including the manufacturer password.

Solution

Remediation

To prevent an authenticated user from obtaining stored credentials install version 5.33.3 or later.

Reported by

CERT@VDE coordinated with Bender GmbH & Co. KG.

Dr. Matthias Kesenheimer and Sebastian Hamann from SySS GmbH for reporting.