Zurück zur Übersicht

Phoenix Contact: Multiple vulnerabilities in the Firmware of CHARX SEC charge controllers

VDE-2024-019
Last update
14.05.2024 08:00
Published at
14.05.2024 08:00
Vendor(s)
Phoenix Contact GmbH & Co. KG
External ID
VDE-2024-019
CSAF Document
Download

Summary

Multiple vulnerabilities have been discovered in the Firmware of CHARX SEC charge controllers.
Update: credis have been updated 

Impact

CVE-2024-28137: The exploit allows a local user to gain root privileges, which allows them to take over the device.

CVE-2024-28134: The exploit allows an attacker without local account to get access to the web-basedmanagement with the privileges of the currently logged in user.

CVE-2024-28135: The exploit allows a user of the web-based management to perform remote code execution on the device as a user with low privileges.

CVE-2024-28133: The exploit allows a local user on the device to perform privilege escalation to gain rootprivileges.

CVE-2024-28136: When the OCPP management port is opened, the exploit allows an attacker without localaccount to gain root privileges and perform remote code execution.

Affected Product(s)

Model no. Product name Affected versions
1139022 CHARX SEC-3000 Firmware <=1.5.1
1139018 CHARX SEC-3050 Firmware <=1.5.1
1139012 CHARX SEC-3100 Firmware <=1.5.1
1138965 CHARX SEC-3150 Firmware <=1.5.1

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:58
Severity
7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness
Untrusted Search Path (CWE-426)
Summary

A local low privileged attacker can use an untrusted search path in a CHARX system utility to gain root
privileges.

References
cve.org | nvd.nist.gov

Published
22.09.2025 14:58
Severity
7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness
Improper Input Validation (CWE-20)
Summary

A local attacker with low privileges can use a command injection vulnerability to gain root
privileges due to improper input validation using the OCPP Remote service.

References
cve.org | nvd.nist.gov

Published
22.09.2025 14:58
Severity
7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
Summary

A local attacker with low privileges can perform a privilege escalation with an init script due to a TOCTOU vulnerability.

References
cve.org | nvd.nist.gov

Published
22.09.2025 14:58
Severity
7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
Weakness
Cleartext Transmission of Sensitive Information (CWE-319)
Summary

An unauthenticated remote attacker can extract a session token with a MitM attack and gain web-based
management access with the privileges of the currently logged in user due to cleartext transmission of sensitive information. No additional user interaction is required. The access is limited as only non-sensitive information can be obtained but the availability can be seriously affected.

References
cve.org | nvd.nist.gov

Published
22.09.2025 14:58
Severity
5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Weakness
Improper Input Validation (CWE-20)
Summary

A low privileged remote attacker can use a command injection vulnerability in the API which performs
remote code execution as the user-app user due to improper input validation. The confidentiality is partly affected.

References
cve.org | nvd.nist.gov

Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks orprotected with a suitable firewall. For detailed information on our recommendations for measuresto protect network-capable devices, please refer to our application note.
Measures to protect network-capable devices with Ethernet connection

Remediation

PHOENIX CONTACT strongly recommends upgrading affected charge controllers to firmware version 1.6 which fixes these vulnerabilities.

Revision History

Version Date Summary
1 14.05.2024 08:00 Initial revision.