CVE-2024-26288: Charx SEC-3000 Information Disclosure Flaw

CVE-2024-26288 Overview

CVE-2024-26288 affects Phoenix Contact CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 electric vehicle charging controllers. The vulnerability stems from missing encryption of sensitive data in transit, classified as [CWE-319] Cleartext Transmission of Sensitive Information. An unauthenticated remote attacker positioned on the network path can intercept and modify communications through a man-in-the-middle (MITM) attack. According to vendor advisory VDE-2024-011, the charging function itself is not affected, but management and control traffic can be observed or altered. The flaw carries a CVSS 3.1 base score of 8.7 and was published to NVD on March 12, 2024.

Critical Impact

An unauthenticated network attacker can passively observe or actively tamper with sensitive controller communications, undermining confidentiality and integrity of EV charging management traffic.

Affected Products

• Phoenix Contact CHARX SEC-3000 and CHARX SEC-3000 firmware
• Phoenix Contact CHARX SEC-3050 and CHARX SEC-3050 firmware
• Phoenix Contact CHARX SEC-3100 / SEC-3150 and associated firmware

Discovery Timeline

• 2024-03-12 - CVE-2024-26288 published to NVD
• 2025-01-23 - Last updated in NVD database

Technical Details for CVE-2024-26288

Vulnerability Analysis

The CHARX SEC series provides charging control and communication functions for electric vehicle infrastructure. The affected controllers transmit sensitive data over the network without applying transport-layer encryption. An attacker with logical access to the network path between a CHARX SEC controller and its peers can read the cleartext traffic or interpose between the endpoints to modify message contents. The vendor advisory clarifies that the charging process itself continues to operate; the exposure is confined to management and signaling traffic that crosses the unencrypted channel. Successful exploitation compromises both confidentiality and integrity of operator commands, telemetry, and configuration data.

Root Cause

The root cause is the absence of cryptographic protection on a communication channel that carries sensitive information. The controller relies on the network layer for confidentiality rather than implementing authenticated encryption (such as TLS) at the application protocol. This design assumption fails whenever an attacker can reach the same broadcast domain, gain access to upstream network equipment, or interpose on routes to and from the device.

Attack Vector

Exploitation requires the attacker to be on the network path and to perform active interception techniques such as Address Resolution Protocol (ARP) spoofing, rogue Dynamic Host Configuration Protocol (DHCP), or compromise of intermediate switching or routing equipment. Once interposed, the attacker reads protocol fields directly and can rewrite messages before forwarding them. No credentials or user interaction are required. The attack complexity is elevated by the need to establish the MITM position, but no application-level authentication mitigates the exposure.

No verified public proof-of-concept code is available for this vulnerability. Refer to the VDE Security Advisory VDE-2024-011 for vendor-supplied technical detail.

Detection Methods for CVE-2024-26288

Indicators of Compromise

• Unexpected ARP table changes on network segments containing CHARX SEC-3000/3050/3100/3150 controllers, including duplicate MAC bindings for the controller IP
• Cleartext protocol traffic to or from CHARX controllers observed on network taps, including credentials, configuration parameters, or session identifiers
• New or unauthorized devices appearing on the operational technology (OT) VLAN serving the chargers

Detection Strategies

• Monitor for ARP anomalies and gratuitous ARP frames on charging infrastructure VLANs using a network detection sensor or switch port mirroring
• Baseline normal traffic flows for each CHARX controller and alert on new source IPs, unusual destination ports, or modified payload structures
• Inspect management traffic for plaintext credentials or configuration fields that should not be observable on the wire

Monitoring Recommendations

• Aggregate switch, DHCP, and ARP logs into a centralized analytics platform for correlation across the OT network
• Deploy passive network monitoring at aggregation points serving EV charging sites, with alerts tuned for MITM precursors
• Periodically audit which hosts can route to CHARX controllers and review firewall logs for unexpected sources

How to Mitigate CVE-2024-26288

Immediate Actions Required

• Apply the firmware update referenced in VDE-2024-011 on all affected CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 units
• Place CHARX controllers on a dedicated, segmented VLAN with strict access control lists restricting which hosts can reach management ports
• Enable dynamic ARP inspection and DHCP snooping on switches serving the charging infrastructure

Patch Information

Phoenix Contact published mitigation guidance through CERT@VDE in advisory VDE-2024-011. Operators should consult the advisory for the specific firmware versions that remediate CVE-2024-26288 and follow the vendor update procedure for each CHARX SEC model in the fleet.

Workarounds

• Restrict network access to CHARX controllers to a minimum set of trusted management stations using firewall rules
• Tunnel management traffic over a virtual private network (VPN) or IPsec channel between operator workstations and the charging site
• Disable or filter any unused network services on the controllers to reduce exposed cleartext protocols

# Example: restrict management access to a single jump host on a Linux gateway
iptables -A FORWARD -s 10.10.20.10 -d 10.10.50.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 10.10.50.0/24 -j DROP