An unauthenticated remote attacker can alter the device configuration in a way to get remote code execution as root with specific configurations.
An unauthenticated remote attacker can modify the device configuration in such a way that, under specific settings, it leads to remote code execution (RCE). The attack is possible over the network without requiring any privileges or user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates low attack complexity and no prerequisites on the attacker's side.
An attacker gains the ability to remotely execute arbitrary code with root privileges, resulting in complete device takeover, loss of data confidentiality and integrity, and potential disruption of charging service availability.
Apply patches available from the manufacturer in accordance with the references (https://certvde.com/de/advisories/VDE-2025-019). Until the patch is deployed, it is recommended to restrict network access to CHARX SEC devices through a firewall or network segmentation, and to avoid exposing configuration interfaces to the public network.
Phoenix Contact CHARX SEC-3000, CHARX SEC-3050 (Firmware), CHARX SEC-3100 (Firmware), CHARX SEC-3150 (Firmware) — exact versions of vulnerable software are indicated in the manufacturer's references (VDE-2025-019).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPhoenixcontact Charx Sec 3000
HWPhoenixcontactwszystkie wersjePhoenixcontact Charx Sec 3000 Firmware
OSPhoenixcontact< 1.7.3Phoenixcontact Charx Sec 3050
HWPhoenixcontactwszystkie wersjePhoenixcontact Charx Sec 3050 Firmware
OSPhoenixcontact< 1.7.3Phoenixcontact Charx Sec 3100
HWPhoenixcontactwszystkie wersjePhoenixcontact Charx Sec 3100 Firmware
OSPhoenixcontact< 1.7.3Phoenixcontact Charx Sec 3150
HWPhoenixcontactwszystkie wersjePhoenixcontact Charx Sec 3150 Firmware
OSPhoenixcontact< 1.7.3
Related vulnerabilities
RCE i eskalacja uprawnień w Phoenix Contact CHARX SEC — brak walidacji danych wejściowych
A local attacker with a local user account can leverage a vulnerable script via SSH to escalate privileges to ...
A low privileged local attacker can leverage insecure permissions via SSH on the affected devices to escalate ...
An unauthenticated remote attacker can use MQTT messages to trigger out-of-bounds writes in charging stations ...
An unauthenticated adjacent attacker can modify configuration by sending specific requests to an API-endpoint ...