Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-25998

CVE-2024-25998: Phoenixcontact Charx Sec-3000 RCE Flaw

CVE-2024-25998 is a remote code execution vulnerability in Phoenixcontact Charx Sec-3000 Firmware caused by command injection in the OCPP Service. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-25998 Overview

CVE-2024-25998 is a command injection vulnerability affecting Phoenix Contact CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 electric vehicle (EV) charging controllers. The flaw resides in the Open Charge Point Protocol (OCPP) service and stems from improper input validation [CWE-77]. An unauthenticated remote attacker can inject operating system commands that execute with the limited privileges of the OCPP service. The vulnerability is reachable over the network with low attack complexity and requires no user interaction. Successful exploitation can disrupt charging operations, expose configuration data, and provide an initial foothold for further attacks against operational technology (OT) infrastructure.

Critical Impact

Unauthenticated remote command injection against EV charging controllers exposed to the network, enabling attackers to execute arbitrary commands within the OCPP service context.

Affected Products

  • Phoenix Contact CHARX SEC-3000 and SEC-3000 firmware
  • Phoenix Contact CHARX SEC-3050 and SEC-3050 firmware
  • Phoenix Contact CHARX SEC-3100 / SEC-3150 and associated firmware

Discovery Timeline

  • 2024-03-12 - CVE-2024-25998 published to NVD
  • 2025-01-24 - Last updated in NVD database

Technical Details for CVE-2024-25998

Vulnerability Analysis

The CHARX SEC family of charging controllers implements the Open Charge Point Protocol (OCPP) to communicate with central management systems. The OCPP service accepts attacker-controlled input over the network and passes it to a downstream shell or system interpreter without adequate sanitization. Because the service runs continuously and listens for remote messages, attackers do not need credentials or local access to reach the vulnerable code path.

The injection occurs within a process that holds limited privileges rather than root, which constrains direct system compromise. However, attackers can still read accessible files, execute reconnaissance commands, manipulate charging session data, and stage secondary exploits to chain with local privilege escalation flaws on the same device.

Root Cause

The root cause is improper neutralization of special elements used in an OS command, classified under [CWE-77]. Input received through OCPP message handlers is concatenated into a command string and passed to a system call without escaping shell metacharacters such as ;, |, &, `, or $(). Any field reflected into the shell invocation becomes a primitive for arbitrary command execution.

Attack Vector

Exploitation requires only network reachability to the OCPP service endpoint on the targeted CHARX SEC controller. An attacker crafts an OCPP request containing shell metacharacters within an affected parameter. The OCPP service parses the request, builds the command string, and executes the injected payload. No authentication, no prior session, and no user interaction is required.

The vulnerability mechanism is described in the vendor advisory; verified proof-of-concept code is not publicly available. See the VDE Security Advisory VDE-2024-011 for technical details and remediation guidance.

Detection Methods for CVE-2024-25998

Indicators of Compromise

  • Unexpected child processes spawned by the OCPP service binary on CHARX SEC devices, particularly shells (/bin/sh, /bin/bash) or networking utilities (curl, wget, nc).
  • Outbound network connections from the charging controller to unrecognized external hosts following OCPP message activity.
  • OCPP request payloads containing shell metacharacters such as ;, |, backticks, or $() sequences in fields that normally accept alphanumeric data.

Detection Strategies

  • Inspect OCPP traffic at the network boundary for malformed messages or parameter values containing command separators and substitution syntax.
  • Baseline the normal process tree of the OCPP service and alert on deviations, especially shell interpreters or file system modifications under service-writable directories.
  • Correlate authentication-less OCPP sessions with subsequent anomalous outbound traffic from the charging infrastructure VLAN.

Monitoring Recommendations

  • Forward syslog and process telemetry from CHARX SEC devices to a centralized SIEM for retention and correlation.
  • Monitor charging station management systems for unexplained configuration changes, firmware status anomalies, or session log gaps.
  • Track all inbound connections to OCPP service ports and alert on sources outside the approved charging management network.

How to Mitigate CVE-2024-25998

Immediate Actions Required

  • Apply the firmware update referenced in VDE Security Advisory VDE-2024-011 to all affected CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 controllers.
  • Inventory exposed charging controllers and confirm none have OCPP service ports reachable from untrusted networks or the public internet.
  • Review logs from affected devices for evidence of exploitation since deployment, focusing on anomalous OCPP requests and process activity.

Patch Information

Phoenix Contact has coordinated with VDE-CERT on remediation. Refer to the VDE Security Advisory VDE-2024-011 for the list of fixed firmware versions and download instructions for each affected CHARX SEC model.

Workarounds

  • Restrict network access to the OCPP service using firewall rules so that only the central charging station management system can initiate connections.
  • Segment EV charging infrastructure onto an isolated VLAN with strict ingress and egress filtering from corporate and public networks.
  • Place the OCPP endpoint behind a VPN or mutually authenticated TLS proxy until firmware updates can be deployed across the fleet.
bash
# Example iptables restriction limiting OCPP access to a trusted management host
iptables -A INPUT -p tcp --dport 8080 -s <management_host_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.