Share: Email | Twitter

ID

VDE-2025-014

Published

2025-07-08 09:00 (CEST)

Last update

2025-07-08 08:58 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
CHARX SEC-3000 <= 1.6.5
CHARX SEC-3000 < 1.7.3
CHARX SEC-3050 <= 1.6.5
CHARX SEC-3050 < 1.7.3
CHARX SEC-3100 <= 1.6.5
CHARX SEC-3100 < 1.7.3
CHARX SEC-3150 <= 1.6.5
CHARX SEC-3150 < 1.7.3

Summary

Multiple vulnerabilities in the firmware of CHARX SEC-3xxx charging controllers have been discovered.

Vulnerabilities



Last Update
July 4, 2025, 12:49 p.m.
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

An unauthenticated remote attacker can use MQTT messages to trigger out-of-bounds writes in charging stations complying with German Calibration Law, resulting in a loss of integrity for only EichrechtAgents and potential denial-of-service for these stations.

Last Update
July 4, 2025, 12:51 p.m.
Weakness
Improper Input Validation (CWE-20)
Summary

A local attacker with a local user account can leverage a vulnerable script via SSH to escalate privileges to root due to improper input validation.

Last Update
July 4, 2025, 12:53 p.m.
Weakness
Improper Privilege Management (CWE-269)
Summary

A low privileged local attacker can leverage insecure permissions via SSH on the affected devices to escalate privileges to root.

Last Update
July 4, 2025, 12:42 p.m.
Weakness
Improper Input Validation (CWE-20)
Summary

An unauthenticated remote attacker can use MQTT messages to crash a service on charging stations complying with German Calibration Law, resulting in a temporary denial-of-service for these stations until they got restarted by the watchdog.

Last Update
July 4, 2025, 12:50 p.m.
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

A physical attacker with access to the device display via USB-C can send a message to the device which triggers an unsecure copy to a buffer resulting in loss of integrity and a temporary denial-of-service for the stations until they got restarted by the watchdog.

Impact

The vulnerabilities can lead to a total loss of confidentiality, integrity and availability of the devices.

Solution

Mitigation

Affected charging controllers are designed and developed for the use in closed industrial networks. Phoenix Contact therefore strongly recommends using the devices exclusively in closed networks and protected by a suitable firewall.

Remediation

Phoenix Contact strongly recommends to upgrade to firmware version 1.7.3 which fixes vulnerabilities CVE-2025-24005 and CVE-2025-24006. The vulnerabilities CVE-2025-24002, CVE-2025-24003 and CVE-2025-24004 affect the Eichrecht functionality in FW <=1.6.5 and in the meantime there is no vendor fix planned for these issues.

General Recommendation

For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: Application Note Security.

Reported by

Jesson Soto Ventura and Matthew Waddell from ivision.

CERT@VDE coordinated with Phoenix Contact GmbH & Co. KG