CVE-2025-25271 Overview
CVE-2025-25271 affects Phoenix Contact CHARX SEC-3000/3050/3100/3150 electric vehicle charging controllers. The vulnerability stems from insecure default settings on the device configuration interface. An unauthenticated attacker with adjacent network access can configure a new Open Charge Point Protocol (OCPP) backend on the device. Redirecting OCPP traffic to an attacker-controlled backend allows manipulation of charging sessions, billing data, and device commands. The flaw is tracked under CWE-1188 (Initialization of a Resource with an Insecure Default).
Critical Impact
An unauthenticated adjacent attacker can hijack the OCPP backend configuration of CHARX SEC charging controllers, compromising confidentiality, integrity, and availability of EV charging operations.
Affected Products
- Phoenix Contact CHARX SEC-3000 and CHARX SEC-3000 firmware
- Phoenix Contact CHARX SEC-3050 and CHARX SEC-3050 firmware
- Phoenix Contact CHARX SEC-3100 / CHARX SEC-3150 and associated firmware
Discovery Timeline
- 2025-07-08 - CVE-2025-25271 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-25271
Vulnerability Analysis
The CHARX SEC controllers expose a configuration interface that ships with insecure default settings. The interface does not enforce authentication for changes to the OCPP backend endpoint. OCPP is the standard protocol used by EV charging stations to communicate with central management systems for authorization, metering, and remote control.
An attacker on the adjacent network sends configuration requests directing the charger to a rogue OCPP backend under attacker control. Once the charger registers with the malicious backend, the attacker can issue OCPP commands, observe transaction data, and disrupt charging service. The advisory is published by CERT@VDE under VDE-2025-019.
Root Cause
The configuration interface uses insecure defaults that allow OCPP backend reconfiguration without authentication. The device does not require credentials, mutual TLS, or operator approval to change a security-critical setting. This matches the CWE-1188 pattern where a resource is initialized with insufficient access restrictions.
Attack Vector
Exploitation requires adjacent network access — typically the local network segment shared with the charging controller. No user interaction or prior authentication is needed. The attacker issues configuration calls to the exposed interface and points the OCPP client at a rogue backend. Subsequent charging sessions, RFID authorizations, and remote start/stop commands flow through the attacker.
No verified public proof-of-concept exploit is available at this time. See the CERT@VDE advisory for vendor-supplied technical details.
Detection Methods for CVE-2025-25271
Indicators of Compromise
- Unexpected changes to the configured OCPP central system URL or endpoint on CHARX SEC devices.
- OCPP BootNotification or StatusNotification messages directed to unknown or non-corporate domains.
- Outbound WebSocket connections from charger management VLANs to unapproved destinations.
- Unrecognized configuration write operations against the CHARX SEC management interface.
Detection Strategies
- Baseline the OCPP backend URL on every CHARX SEC controller and alert on configuration drift.
- Inspect network flows from EV charging VLANs for new outbound TLS or WebSocket destinations.
- Correlate charger configuration changes with authorized change-management tickets.
Monitoring Recommendations
- Forward charger logs and network telemetry to a centralized SIEM with OT-aware parsers.
- Monitor adjacent network segments for unauthenticated HTTP/HTTPS calls to the CHARX configuration interface.
- Track OCPP session establishment events and compare backend fingerprints against an allowlist.
How to Mitigate CVE-2025-25271
Immediate Actions Required
- Apply the firmware update referenced in VDE-2025-019 on all affected CHARX SEC-3000/3050/3100/3150 units.
- Restrict network access to the charger configuration interface using firewalls and VLAN segmentation.
- Audit the OCPP backend URL on every device and reset any unauthorized changes.
- Rotate any credentials or shared secrets used between chargers and the central management system.
Patch Information
Phoenix Contact has published mitigation guidance through CERT@VDE in advisory VDE-2025-019. Operators should consult the advisory for the fixed firmware versions and apply the vendor-supplied update.
Workarounds
- Place CHARX SEC controllers on an isolated management VLAN reachable only by authorized engineering hosts.
- Block inbound access to the configuration interface from untrusted adjacent networks using ACLs or firewall rules.
- Require VPN or jump-host access for any administrative interaction with charger management interfaces.
- Disable or restrict the configuration service when not actively in use for provisioning.
# Example firewall rule restricting CHARX SEC management interface to a jump host
# Replace <CHARGER_IP> and <ADMIN_HOST_IP> with environment-specific values
iptables -A FORWARD -s <ADMIN_HOST_IP> -d <CHARGER_IP> -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d <CHARGER_IP> -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

