CVE-2025-24003 Overview
CVE-2025-24003 is an out-of-bounds write vulnerability (CWE-120) affecting Phoenix Contact CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 electric vehicle charging controllers. The flaw resides in the EichrechtAgent component, which implements measurement integrity functions required by German Calibration Law (Eichrecht). An unauthenticated remote attacker can send crafted MQTT messages to trigger memory corruption in this component. Exploitation leads to integrity loss within the EichrechtAgent and denial-of-service conditions on affected charging stations.
Critical Impact
Unauthenticated remote attackers can disrupt charging station availability and compromise the integrity of calibration-relevant measurement data via crafted MQTT traffic.
Affected Products
- Phoenix Contact CHARX SEC-3000 and SEC-3050 firmware
- Phoenix Contact CHARX SEC-3100 and SEC-3150 firmware
- Charging controllers deployed under German Calibration Law (Eichrecht)
Discovery Timeline
- 2025-07-08 - CVE-2025-24003 published to NVD
- 2025-07-11 - Last updated in NVD database
Technical Details for CVE-2025-24003
Vulnerability Analysis
The vulnerability is a classic buffer copy without size checking (CWE-120) in the EichrechtAgent process. This component handles MQTT messages related to metering and calibration-law compliance. When the agent parses incoming MQTT payloads, it writes data beyond the bounds of an allocated buffer.
The out-of-bounds write corrupts adjacent memory regions used by the EichrechtAgent. This corruption directly impacts the integrity of measurement and billing-relevant data processed by the agent. The process can then crash, producing a denial-of-service condition on the charging controller. Other system components remain functionally isolated according to vendor scope analysis.
Exploitation requires network reachability to the MQTT broker exposed by the charging station. No authentication or user interaction is required.
Root Cause
The root cause is missing input length validation when processing MQTT message payloads inside the EichrechtAgent. The component copies attacker-controlled data into a fixed-size buffer without verifying that the source length fits the destination. This bypasses memory safety boundaries and allows adjacent heap or stack structures to be overwritten.
Attack Vector
The attack vector is network-based over the MQTT protocol. An attacker who can reach the charging station's MQTT interface publishes a malformed message to a topic consumed by the EichrechtAgent. The agent parses the payload and triggers the out-of-bounds write. Successful exploitation results in process termination, station unavailability, and possible falsification of calibration-relevant state held by the agent.
No public proof-of-concept exploit code is available for CVE-2025-24003. Refer to the CERT@VDE Security Advisory VDE-2025-014 for vendor technical details.
Detection Methods for CVE-2025-24003
Indicators of Compromise
- Unexpected restarts or crashes of the EichrechtAgent process on CHARX SEC controllers
- MQTT publish operations from untrusted sources targeting Eichrecht-related topics
- Anomalously large or malformed MQTT payloads directed at charging station brokers
- Gaps or inconsistencies in calibration-law measurement logs
Detection Strategies
- Inspect MQTT traffic to charging stations for oversized payloads and unexpected publishers
- Monitor charging controller logs for EichrechtAgent segmentation faults or restart events
- Correlate station unavailability events with inbound network traffic on MQTT ports
Monitoring Recommendations
- Deploy network monitoring on operational technology (OT) segments hosting CHARX SEC devices
- Alert on MQTT connections originating from outside authorized backend systems
- Track firmware versions across the CHARX fleet to identify unpatched stations
How to Mitigate CVE-2025-24003
Immediate Actions Required
- Restrict network access to the MQTT interface of CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 controllers to trusted management systems
- Place charging stations behind a firewall and segment them from general IT networks
- Apply firmware updates published by Phoenix Contact as referenced in CERT@VDE VDE-2025-014
Patch Information
Phoenix Contact has issued guidance through CERT@VDE advisory VDE-2025-014. Operators should consult the CERT@VDE Security Advisory VDE-2025-014 for fixed firmware versions and upgrade procedures specific to each CHARX SEC model.
Workarounds
- Block external access to MQTT ports on charging stations using network access control lists
- Require mutual TLS authentication on MQTT brokers where supported by the deployment architecture
- Disable or isolate the EichrechtAgent MQTT topics from untrusted publishers until firmware is updated
- Monitor EichrechtAgent process health and automate alerting on abnormal terminations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
