CVE-2025-25268 Overview
CVE-2025-25268 affects Phoenix Contact CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 electric vehicle charging controllers. An unauthenticated attacker on an adjacent network can send crafted requests to an exposed API endpoint and modify device configuration. The vulnerability stems from missing authentication [CWE-306] on the endpoint, granting both read and write access. Phoenix Contact CHARX SEC devices operate as charging controllers in public and commercial EV infrastructure, making configuration tampering a direct threat to charging availability and safety.
Critical Impact
Attackers with adjacent network access can read and modify charging controller configuration without credentials, impacting confidentiality, integrity, and availability of EV charging operations.
Affected Products
- Phoenix Contact CHARX SEC-3000 (firmware and hardware)
- Phoenix Contact CHARX SEC-3050 and CHARX SEC-3100 (firmware and hardware)
- Phoenix Contact CHARX SEC-3150 (firmware and hardware)
Discovery Timeline
- 2025-07-08 - CVE-2025-25268 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-25268
Vulnerability Analysis
The CHARX SEC controllers expose an API endpoint that fails to enforce authentication before processing requests. An adjacent attacker, meaning one with access to the same logical or physical network segment as the device, can query the endpoint and issue configuration changes. Because the endpoint provides both read and write access, an attacker can enumerate the current configuration and then alter parameters that influence charging session behavior, network settings, or operational policies. The advisory published by CERT@VDE (VDE-2025-019) classifies the issue as a missing authentication weakness in the device management interface.
Root Cause
The root cause is a missing authentication check on an API endpoint used to manage device configuration. The endpoint accepts requests and applies changes without verifying caller identity or session validity. This corresponds to CWE-306 (Missing Authentication for Critical Function). No credential, token, or certificate validation is performed before configuration state is modified.
Attack Vector
Exploitation requires adjacent network access, such as a shared LAN, a co-located management VLAN, or a compromised device on the same broadcast domain. The attacker sends specific HTTP or API requests to the vulnerable endpoint on the CHARX SEC controller. No user interaction and no prior privileges are required. Successful exploitation yields full read and write access to configuration data, enabling operational disruption or persistent tampering of the charging controller. See the CERT@VDE Security Advisory VDE-2025-019 for technical details.
No public proof-of-concept exploit is available at the time of publication.
Detection Methods for CVE-2025-25268
Indicators of Compromise
- Unexpected configuration changes on CHARX SEC-3000, SEC-3050, SEC-3100, or SEC-3150 controllers with no corresponding administrative action
- API requests to the CHARX management endpoint originating from unmanaged or unknown adjacent hosts
- Sudden changes to charging session parameters, network settings, or access control lists on affected devices
Detection Strategies
- Monitor network flows on OT/charging management segments for HTTP/API traffic to CHARX SEC controllers from hosts other than approved management stations
- Correlate device configuration snapshots over time and alert on unauthorized deltas
- Deploy network intrusion detection signatures for anomalous request patterns targeting the affected API endpoint
Monitoring Recommendations
- Ingest CHARX SEC device logs and adjacent network telemetry into a centralized data lake for cross-source correlation, using OCSF-normalized SIEM platforms such as Singularity Data Lake to surface configuration-change events alongside network activity
- Track authentication and configuration audit events from EV charging infrastructure and alert on write operations that lack a corresponding authenticated session
- Baseline management traffic to charging controllers and alert on new source addresses or off-hours access
How to Mitigate CVE-2025-25268
Immediate Actions Required
- Apply the Phoenix Contact firmware update referenced in CERT@VDE VDE-2025-019 to all CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 units
- Restrict adjacent network access to CHARX SEC controllers by placing them on a dedicated, filtered management VLAN
- Inventory all deployed CHARX SEC devices and confirm firmware versions against the fixed release
Patch Information
Phoenix Contact and CERT@VDE published advisory VDE-2025-019 describing the missing authentication issue and the corresponding firmware remediation. Operators should consult the advisory for the exact fixed firmware versions applicable to each CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 model and follow the vendor's upgrade procedure.
Workarounds
- Segment CHARX SEC controllers onto isolated networks reachable only by authorized management systems
- Enforce access control lists on switches and firewalls to permit API traffic exclusively from known administrator hosts
- Disable or block the vulnerable API endpoint at the network perimeter where firmware updates cannot be applied immediately
- Monitor unmanaged IoT and OT assets, including EV charging controllers, using platforms such as Singularity Platform that extend visibility to devices without native agents
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

