CVE-2025-25269 Overview
CVE-2025-25269 is a command injection vulnerability affecting Phoenix Contact CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 electric vehicle charge controllers. An unauthenticated local attacker can inject operating system commands that the device subsequently executes with root privileges. The flaw maps to [CWE-78] (Improper Neutralization of Special Elements used in an OS Command) and enables full privilege escalation on affected charge controller firmware.
Critical Impact
Successful exploitation yields root-level code execution on CHARX SEC charge controllers, compromising the confidentiality, integrity, and availability of the electric vehicle charging infrastructure.
Affected Products
- Phoenix Contact CHARX SEC-3000 and SEC-3000 firmware
- Phoenix Contact CHARX SEC-3050 and SEC-3050 firmware
- Phoenix Contact CHARX SEC-3100 / SEC-3150 and corresponding firmware
Discovery Timeline
- 2025-07-08 - CVE-2025-25269 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-25269
Vulnerability Analysis
The vulnerability resides in an interface on the CHARX SEC charge controller that accepts attacker-controlled input without proper neutralization of shell metacharacters. When the affected component constructs and executes an operating system command using this input, the attacker's payload is interpreted by the shell and runs in the security context of the root user.
Because the attack vector is local and requires no authentication or user interaction, any process or actor with local access to the device's exposed interface can trigger execution. The combination of unauthenticated access and root-level execution produces full compromise of the charge controller. An attacker can read sensitive configuration, modify firmware behavior, disrupt charging operations, or pivot to adjacent operational technology (OT) networks.
Root Cause
The root cause is improper neutralization of special elements passed into an OS command, classified under [CWE-78]. The affected firmware concatenates untrusted input into a command string executed by a shell interpreter rather than passing arguments through a safe execution API or applying strict allowlist validation. Metacharacters such as ;, |, &, and backticks are not stripped or escaped, allowing arbitrary command chaining.
Attack Vector
Exploitation requires local access to an exposed control interface on the CHARX SEC controller. The attacker submits a crafted payload containing shell metacharacters appended to an otherwise legitimate parameter value. When the firmware passes that value to the underlying shell, the injected commands execute as root. No credentials, tokens, or user interaction are required to complete the attack.
Detailed technical analysis is available in the CERT@VDE Advisory VDE-2025-019.
Detection Methods for CVE-2025-25269
Indicators of Compromise
- Unexpected child processes spawned by the CHARX charge controller service running as root.
- Shell metacharacters (;, |, &, $(), backticks) appearing in request parameters logged by the device's local interface.
- New or modified files in writable filesystem locations such as /tmp, /var/tmp, or persistent configuration directories.
- Outbound network connections from the charge controller to unexpected hosts following local interface activity.
Detection Strategies
- Inspect device logs for command-line arguments containing shell metacharacters submitted to administrative or diagnostic endpoints.
- Correlate local-interface activity with the creation of new processes, cron jobs, or systemd units on the controller.
- Baseline normal process trees on CHARX SEC devices and alert on deviations such as sh, bash, wget, curl, or nc invocations.
Monitoring Recommendations
- Forward charge controller syslog and audit data to a centralized analytics platform for retention and correlation.
- Monitor the OT network segment containing CHARX SEC devices for lateral movement attempts following suspicious local activity.
- Track firmware version inventory continuously to confirm patched builds remain deployed across the fleet.
How to Mitigate CVE-2025-25269
Immediate Actions Required
- Apply the firmware update referenced in CERT@VDE Advisory VDE-2025-019 to all affected CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 units.
- Restrict physical and local network access to the charge controllers to authorized personnel and management hosts only.
- Audit existing devices for indicators of prior exploitation before returning them to production.
Patch Information
Phoenix Contact has coordinated remediation through CERT@VDE. Operators should consult CERT@VDE Advisory VDE-2025-019 for the specific fixed firmware versions and update procedures for each CHARX SEC model.
Workarounds
- Segment CHARX SEC devices onto a dedicated OT VLAN with strict access control lists limiting which hosts can reach local management interfaces.
- Disable or block any unnecessary local services on the controllers until the firmware update is applied.
- Enforce physical security controls on charge station enclosures to prevent unauthorized local access to maintenance ports.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

