VDE-2025-084 | CERT@VDE

2025-09-08 09:00 (CEST) VDE-2025-084

Bender Charge Controller Vulnerability - Unsecure Communication

Share: Email | Twitter

ID

VDE-2025-084

Published

2025-09-08 09:00 (CEST)

Last update

2025-09-05 11:35 (CEST)

Vendor(s)

Bender GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	CC612	all
	CC613	all
	ICC13xx	all
	ICC15xx	all
	ICC16xx	all

Summary

Bender is publishing this advisory to inform customers about a security vulnerability in the Charge Controller product families. Bender has analyzed the weakness and determined that the electrical safety of the devices is not affected. Bender considers the weakness to be of high risk and it should be patched immediately.

CVE ID

CVE-2025-41708

Last Update:

5. September 2025 11:31

Severity

7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Weakness

Cleartext Transmission of Sensitive Information (CWE-319)

Summary

Due to an unsecure default configuration HTTP is used instead of HTTPS for the web interface. An unauthenticated attacker on the same network could exploit this to learn sensitive data during transmission.

Details

cert.vde.com

Impact

Due to an unsecure default configuration HTTP is used instead of HTTPS for the web interface.

Solution

Mitigation

To use HTTPS on the web interface, enable it in the settings.

Reported by

CERT@VDE coordinated with Bender GmbH & Co. KG.

Dr. Matthias Kesenheimer and Sebastian Hamann from SySS GmbH for reporting