Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-25268

CVE-2025-25268: Phoenixcontact Charx Auth Bypass Flaw

CVE-2025-25268 is an authentication bypass vulnerability in Phoenixcontact Charx Sec-3000 Firmware allowing adjacent attackers unauthorized API access. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-25268 Overview

CVE-2025-25268 affects Phoenix Contact CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 electric vehicle charging controllers. An unauthenticated attacker on an adjacent network can send crafted requests to an exposed API endpoint and modify device configuration. The vulnerability stems from missing authentication [CWE-306] on the endpoint, granting both read and write access. Phoenix Contact CHARX SEC devices operate as charging controllers in public and commercial EV infrastructure, making configuration tampering a direct threat to charging availability and safety.

Critical Impact

Attackers with adjacent network access can read and modify charging controller configuration without credentials, impacting confidentiality, integrity, and availability of EV charging operations.

Affected Products

  • Phoenix Contact CHARX SEC-3000 (firmware and hardware)
  • Phoenix Contact CHARX SEC-3050 and CHARX SEC-3100 (firmware and hardware)
  • Phoenix Contact CHARX SEC-3150 (firmware and hardware)

Discovery Timeline

  • 2025-07-08 - CVE-2025-25268 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-25268

Vulnerability Analysis

The CHARX SEC controllers expose an API endpoint that fails to enforce authentication before processing requests. An adjacent attacker, meaning one with access to the same logical or physical network segment as the device, can query the endpoint and issue configuration changes. Because the endpoint provides both read and write access, an attacker can enumerate the current configuration and then alter parameters that influence charging session behavior, network settings, or operational policies. The advisory published by CERT@VDE (VDE-2025-019) classifies the issue as a missing authentication weakness in the device management interface.

Root Cause

The root cause is a missing authentication check on an API endpoint used to manage device configuration. The endpoint accepts requests and applies changes without verifying caller identity or session validity. This corresponds to CWE-306 (Missing Authentication for Critical Function). No credential, token, or certificate validation is performed before configuration state is modified.

Attack Vector

Exploitation requires adjacent network access, such as a shared LAN, a co-located management VLAN, or a compromised device on the same broadcast domain. The attacker sends specific HTTP or API requests to the vulnerable endpoint on the CHARX SEC controller. No user interaction and no prior privileges are required. Successful exploitation yields full read and write access to configuration data, enabling operational disruption or persistent tampering of the charging controller. See the CERT@VDE Security Advisory VDE-2025-019 for technical details.

No public proof-of-concept exploit is available at the time of publication.

Detection Methods for CVE-2025-25268

Indicators of Compromise

  • Unexpected configuration changes on CHARX SEC-3000, SEC-3050, SEC-3100, or SEC-3150 controllers with no corresponding administrative action
  • API requests to the CHARX management endpoint originating from unmanaged or unknown adjacent hosts
  • Sudden changes to charging session parameters, network settings, or access control lists on affected devices

Detection Strategies

  • Monitor network flows on OT/charging management segments for HTTP/API traffic to CHARX SEC controllers from hosts other than approved management stations
  • Correlate device configuration snapshots over time and alert on unauthorized deltas
  • Deploy network intrusion detection signatures for anomalous request patterns targeting the affected API endpoint

Monitoring Recommendations

  • Ingest CHARX SEC device logs and adjacent network telemetry into a centralized data lake for cross-source correlation, using OCSF-normalized SIEM platforms such as Singularity Data Lake to surface configuration-change events alongside network activity
  • Track authentication and configuration audit events from EV charging infrastructure and alert on write operations that lack a corresponding authenticated session
  • Baseline management traffic to charging controllers and alert on new source addresses or off-hours access

How to Mitigate CVE-2025-25268

Immediate Actions Required

  • Apply the Phoenix Contact firmware update referenced in CERT@VDE VDE-2025-019 to all CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 units
  • Restrict adjacent network access to CHARX SEC controllers by placing them on a dedicated, filtered management VLAN
  • Inventory all deployed CHARX SEC devices and confirm firmware versions against the fixed release

Patch Information

Phoenix Contact and CERT@VDE published advisory VDE-2025-019 describing the missing authentication issue and the corresponding firmware remediation. Operators should consult the advisory for the exact fixed firmware versions applicable to each CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 model and follow the vendor's upgrade procedure.

Workarounds

  • Segment CHARX SEC controllers onto isolated networks reachable only by authorized management systems
  • Enforce access control lists on switches and firewalls to permit API traffic exclusively from known administrator hosts
  • Disable or block the vulnerable API endpoint at the network perimeter where firmware updates cannot be applied immediately
  • Monitor unmanaged IoT and OT assets, including EV charging controllers, using platforms such as Singularity Platform that extend visibility to devices without native agents

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.