Article No° | Product Name | Affected Version(s) |
---|---|---|
CHARX SEC-3000 | <= 1.6.5 | |
CHARX SEC-3000 | < 1.7.3 | |
CHARX SEC-3050 | <= 1.6.5 | |
CHARX SEC-3050 | < 1.7.3 | |
CHARX SEC-3100 | <= 1.6.5 | |
CHARX SEC-3100 | < 1.7.3 | |
CHARX SEC-3150 | <= 1.6.5 | |
CHARX SEC-3150 | < 1.7.3 |
Multiple vulnerabilities in the firmware of CHARX SEC-3xxx charging controllers have been discovered.
An unauthenticated remote attacker can use MQTT messages to trigger out-of-bounds writes in charging stations complying with German Calibration Law, resulting in a loss of integrity for only EichrechtAgents and potential denial-of-service for these stations.
A local attacker with a local user account can leverage a vulnerable script via SSH to escalate privileges to root due to improper input validation.
A low privileged local attacker can leverage insecure permissions via SSH on the affected devices to escalate privileges to root.
An unauthenticated remote attacker can use MQTT messages to crash a service on charging stations complying with German Calibration Law, resulting in a temporary denial-of-service for these stations until they got restarted by the watchdog.
A physical attacker with access to the device display via USB-C can send a message to the device which triggers an unsecure copy to a buffer resulting in loss of integrity and a temporary denial-of-service for the stations until they got restarted by the watchdog.
The vulnerabilities can lead to a total loss of confidentiality, integrity and availability of the devices.
Mitigation
Affected charging controllers are designed and developed for the use in closed industrial networks. Phoenix Contact therefore strongly recommends using the devices exclusively in closed networks and protected by a suitable firewall.
Remediation
Phoenix Contact strongly recommends to upgrade to firmware version 1.7.3 which fixes vulnerabilities CVE-2025-24005 and CVE-2025-24006. The vulnerabilities CVE-2025-24002, CVE-2025-24003 and CVE-2025-24004 affect the Eichrecht functionality in FW <=1.6.5 and in the meantime there is no vendor fix planned for these issues.
General Recommendation
For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: Application Note Security.
Jesson Soto Ventura and Matthew Waddell from ivision.
CERT@VDE coordinated with Phoenix Contact GmbH & Co. KG