VDE-2025-084
Last update
08.09.2025 09:00
Published at
08.09.2025 09:00
Vendor(s)
Bender GmbH & Co. KG
External ID
VDE-2025-084
CSAF Document
Summary
Bender is publishing this advisory to inform customers about a security vulnerability in the Charge Controller product families. Bender has analyzed the weakness and determined that the electrical safety of the devices is not affected. Bender considers the weakness to be of high risk and it should be patched immediately.
Impact
Due to an unsecure default configuration HTTP is used instead of HTTPS for the web interface.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| CC612 | Firmware vers:all/* | |
| CC613 | Firmware vers:all/* | |
| ICC13xx | Firmware vers:all/* | |
| ICC15xx | Firmware vers:all/* | |
| ICC16xx | Firmware vers:all/* |
Vulnerabilities
Expand / Collapse all
Published
24.09.2025 12:38
Severity
Weakness
Cleartext Transmission of Sensitive Information (CWE-319)
Summary
Due to an unsecure default configuration HTTP is used instead of HTTPS for the web interface. An unauthenticated attacker on the same network could exploit this to learn sensitive data during transmission.
References
Mitigation
To use HTTPS on the web interface, enable it in the settings.
Acknowledgments
Bender GmbH & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
- Dr. Matthias Kesenheimer, Sebastian Hamann from SySS GmbH for reporting (see https://www.syss.de )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 08.09.2025 09:00 | initial version |