VDE-2025-019

Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2025-07-08 10:00 - Updated: 2025-07-22 08:00
Summary
Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers
Severity
Critical
Notes
Summary: Multiple vulnerabilities in the firmware of CHARX SEC-3xxx charging controllers have been discovered. **Update Version 1.1.0:** Updated the reporting credits for CVE-2025-25271.
Impact: The vulnerabilities can lead to a total loss of confidentiality, integrity and availability of the devices.
Mitigation: Affected charging controllers are designed and developed for the use in closed industrial networks. Phoenix Contact therefore strongly recommends using the devices exclusively in closed networks and protected by a suitable firewall.
Remediation: Phoenix Contact strongly recommends to upgrade to firmware version 1.7.3 which fixes these vulnerabilities.
General Recommendation: For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: [Application Note Security](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf).
Product Description: CHARX EVSE charging controller
CVE-2025-25268
8.8 (High)
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-306 - Missing Authentication for Critical Function
Vendor Fix Phoenix Contact strongly recommends to upgrade to firmware version 1.7.3 which fixes these vulnerabilities.
Affected products
Product Identifier Version Remediation
Unresolved product id: CSAFPID-32001
Unresolved product id: CSAFPID-32002
Unresolved product id: CSAFPID-32003
Unresolved product id: CSAFPID-32004
Product Identifier Version Remediation
Unresolved product id: CSAFPID-31001
Unresolved product id: CSAFPID-31002
Unresolved product id: CSAFPID-31003
Unresolved product id: CSAFPID-31004
CVE-2025-25269
8.4 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Vendor Fix Phoenix Contact strongly recommends to upgrade to firmware version 1.7.3 which fixes these vulnerabilities.
Affected products
Product Identifier Version Remediation
Unresolved product id: CSAFPID-32001
Unresolved product id: CSAFPID-32002
Unresolved product id: CSAFPID-32003
Unresolved product id: CSAFPID-32004
Product Identifier Version Remediation
Unresolved product id: CSAFPID-31001
Unresolved product id: CSAFPID-31002
Unresolved product id: CSAFPID-31003
Unresolved product id: CSAFPID-31004
CVE-2025-25270
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-913 - Improper Control of Dynamically-Managed Code Resources
Vendor Fix Phoenix Contact strongly recommends to upgrade to firmware version 1.7.3 which fixes these vulnerabilities.
Affected products
Product Identifier Version Remediation
Unresolved product id: CSAFPID-32001
Unresolved product id: CSAFPID-32002
Unresolved product id: CSAFPID-32003
Unresolved product id: CSAFPID-32004
Product Identifier Version Remediation
Unresolved product id: CSAFPID-31001
Unresolved product id: CSAFPID-31002
Unresolved product id: CSAFPID-31003
Unresolved product id: CSAFPID-31004
CVE-2025-25271
8.8 (High)
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-1188 - Initialization of a Resource with an Insecure Default
Vendor Fix Phoenix Contact strongly recommends to upgrade to firmware version 1.7.3 which fixes these vulnerabilities.
Affected products
Product Identifier Version Remediation
Unresolved product id: CSAFPID-32001
Unresolved product id: CSAFPID-32002
Unresolved product id: CSAFPID-32003
Unresolved product id: CSAFPID-32004
Product Identifier Version Remediation
Unresolved product id: CSAFPID-31001
Unresolved product id: CSAFPID-31002
Unresolved product id: CSAFPID-31003
Unresolved product id: CSAFPID-31004
References
Acknowledgments
CERTVDE certvde.com/en/
ZDI
HT3 Labs
HT3 Labs
fuzzware.io Tobias Scharnowski Felix Buchmann Kristian Covic
Summoning Team (@SummoningTeam) Sina Kheirkhah (@SinSinology)
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERTVDE",
        "summary": "coordination.",
        "urls": [
          "https://certvde.com/en/"
        ]
      },
      {
        "organization": "ZDI",
        "summary": "coordination."
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "Multiple vulnerabilities in the firmware of CHARX SEC-3xxx charging controllers have been discovered.\n\n**Update Version 1.1.0:** Updated the reporting credits for CVE-2025-25271.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The vulnerabilities can lead to a total loss of confidentiality, integrity and availability of the devices.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Affected charging controllers are designed and developed for the use in closed industrial networks. Phoenix Contact therefore strongly recommends using the devices exclusively in closed networks and protected by a suitable firewall.",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "Phoenix Contact strongly recommends to upgrade to firmware version 1.7.3 which fixes these vulnerabilities. ",
        "title": "Remediation"
      },
      {
        "category": "general",
        "text": "For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: [Application Note Security](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf).",
        "title": "General Recommendation"
      },
      {
        "category": "description",
        "text": "CHARX EVSE charging controller",
        "title": "Product Description"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@phoenixcontact.com",
      "name": "Phoenix Contact GmbH \u0026 Co. KG",
      "namespace": "https://phoenixcontact.com/psirt"
    },
    "references": [
      {
        "category": "external",
        "summary": "PCSA-2025-00002",
        "url": "https://phoenixcontact.com/psirt"
      },
      {
        "category": "external",
        "summary": "Phoenix Contact advisory overview at CERT@VDE",
        "url": "https://certvde.com/de/advisories/vendor/phoenixcontact/"
      },
      {
        "category": "self",
        "summary": "VDE-2025-019: Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2025-019"
      },
      {
        "category": "self",
        "summary": "VDE-2025-019: Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers - CSAF",
        "url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-019.json"
      },
      {
        "category": "external",
        "summary": "Phoenix Contact application note",
        "url": "https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf"
      }
    ],
    "title": "Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers",
    "tracking": {
      "aliases": [
        "VDE-2025-019",
        "PCSA-2025-00002"
      ],
      "current_release_date": "2025-07-22T08:00:00.000Z",
      "generator": {
        "date": "2025-07-22T08:06:45.161Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.30"
        }
      },
      "id": "VDE-2025-019",
      "initial_release_date": "2025-07-08T10:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-07-08T10:00:00.000Z",
          "number": "1.0.0",
          "summary": "Initial Revision"
        },
        {
          "date": "2025-07-22T08:00:00.000Z",
          "number": "1.1.0",
          "summary": "Updated the reporting credits for CVE-2025-25271."
        }
      ],
      "status": "final",
      "version": "1.1.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "CHARX SEC-3150",
                "product": {
                  "name": "CHARX SEC-3150",
                  "product_id": "CSAFPID-11001"
                }
              },
              {
                "category": "product_name",
                "name": "CHARX SEC-3100",
                "product": {
                  "name": "CHARX SEC-3150",
                  "product_id": "CSAFPID-11002"
                }
              },
              {
                "category": "product_name",
                "name": "CHARX SEC-3050",
                "product": {
                  "name": "CHARX SEC-3050",
                  "product_id": "CSAFPID-11003"
                }
              },
              {
                "category": "product_name",
                "name": "CHARX SEC-3000",
                "product": {
                  "name": "CHARX SEC-3000",
                  "product_id": "CSAFPID-11004"
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cFW 1.7.3",
                "product": {
                  "name": "Firmware \u003cFW 1.7.3",
                  "product_id": "CSAFPID-21001"
                }
              },
              {
                "category": "product_version",
                "name": "FW 1.7.3",
                "product": {
                  "name": "Firmware FW 1.7.3",
                  "product_id": "CSAFPID-22001"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "Phoenix Contact"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ],
        "summary": "Affected products."
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004"
        ],
        "summary": "Fixed products."
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "FW \u003c1.7.3 installed on CHARX SEC-3150",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "FW \u003c1.7.3 installed on CHARX SEC-3100",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "FW \u003c1.7.3 installed on CHARX SEC-3050",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "FW \u003c1.7.3 installed on CHARX SEC-3000",
          "product_id": "CSAFPID-31004"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "FW 1.7.3 installed on CHARX SEC-3150",
          "product_id": "CSAFPID-32001"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "FW 1.7.3 installed on CHARX SEC-3100",
          "product_id": "CSAFPID-32002"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "FW 1.7.3 installed on CHARX SEC-3050",
          "product_id": "CSAFPID-32003"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "FW 1.7.3 installed on CHARX SEC-3000",
          "product_id": "CSAFPID-32004"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11004"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "organization": "HT3 Labs ",
          "summary": "reporting."
        }
      ],
      "cve": "CVE-2025-25268",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthenticated adjacent attacker can modify configuration by sending specific requests to an API-endpoint resulting in read and write access due to missing authentication.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-06-03T10:00:00.000Z",
          "details": "Phoenix Contact strongly recommends to upgrade to firmware version 1.7.3 which fixes these vulnerabilities.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "CVE-2025-25268"
    },
    {
      "acknowledgments": [
        {
          "organization": "HT3 Labs",
          "summary": "reporting."
        }
      ],
      "cve": "CVE-2025-25269",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthenticated local attacker can inject a command that is subsequently executed as root, leading to a privilege escalation.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-06-03T10:00:00.000Z",
          "details": "Phoenix Contact strongly recommends to upgrade to firmware version 1.7.3 which fixes these vulnerabilities.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.4,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 8.4,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "CVE-2025-25269"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Tobias Scharnowski",
            "Felix Buchmann",
            "Kristian Covic"
          ],
          "organization": "fuzzware.io",
          "summary": "reporting."
        }
      ],
      "cve": "CVE-2025-25270",
      "cwe": {
        "id": "CWE-913",
        "name": "Improper Control of Dynamically-Managed Code Resources"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthenticated remote attacker can alter the device configuration in a way to get remote code execution as root with specific configurations.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-06-03T10:00:00.000Z",
          "details": "Phoenix Contact strongly recommends to upgrade to firmware version 1.7.3 which fixes these vulnerabilities.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "CVE-2025-25270"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Sina Kheirkhah (@SinSinology)"
          ],
          "organization": "Summoning Team (@SummoningTeam)",
          "summary": "reporting."
        }
      ],
      "cve": "CVE-2025-25271",
      "cwe": {
        "id": "CWE-1188",
        "name": "Initialization of a Resource with an Insecure Default"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthenticated adjacent attacker is able to configure a new OCPP backend, due to insecure defaults for the configuration interface.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-06-03T10:00:00.000Z",
          "details": "Phoenix Contact strongly recommends to upgrade to firmware version 1.7.3 which fixes these vulnerabilities.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "CVE-2025-25271"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.