Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-25271

CVE-2025-25271: Charx Sec-3000 Auth Bypass Vulnerability

CVE-2025-25271 is an authentication bypass flaw in Phoenixcontact Charx Sec-3000 Firmware that allows adjacent attackers to configure OCPP backends via insecure defaults. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-25271 Overview

CVE-2025-25271 affects Phoenix Contact CHARX SEC-3000/3050/3100/3150 electric vehicle charging controllers. The vulnerability stems from insecure default settings on the device configuration interface. An unauthenticated attacker with adjacent network access can configure a new Open Charge Point Protocol (OCPP) backend on the device. Redirecting OCPP traffic to an attacker-controlled backend allows manipulation of charging sessions, billing data, and device commands. The flaw is tracked under CWE-1188 (Initialization of a Resource with an Insecure Default).

Critical Impact

An unauthenticated adjacent attacker can hijack the OCPP backend configuration of CHARX SEC charging controllers, compromising confidentiality, integrity, and availability of EV charging operations.

Affected Products

  • Phoenix Contact CHARX SEC-3000 and CHARX SEC-3000 firmware
  • Phoenix Contact CHARX SEC-3050 and CHARX SEC-3050 firmware
  • Phoenix Contact CHARX SEC-3100 / CHARX SEC-3150 and associated firmware

Discovery Timeline

  • 2025-07-08 - CVE-2025-25271 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-25271

Vulnerability Analysis

The CHARX SEC controllers expose a configuration interface that ships with insecure default settings. The interface does not enforce authentication for changes to the OCPP backend endpoint. OCPP is the standard protocol used by EV charging stations to communicate with central management systems for authorization, metering, and remote control.

An attacker on the adjacent network sends configuration requests directing the charger to a rogue OCPP backend under attacker control. Once the charger registers with the malicious backend, the attacker can issue OCPP commands, observe transaction data, and disrupt charging service. The advisory is published by CERT@VDE under VDE-2025-019.

Root Cause

The configuration interface uses insecure defaults that allow OCPP backend reconfiguration without authentication. The device does not require credentials, mutual TLS, or operator approval to change a security-critical setting. This matches the CWE-1188 pattern where a resource is initialized with insufficient access restrictions.

Attack Vector

Exploitation requires adjacent network access — typically the local network segment shared with the charging controller. No user interaction or prior authentication is needed. The attacker issues configuration calls to the exposed interface and points the OCPP client at a rogue backend. Subsequent charging sessions, RFID authorizations, and remote start/stop commands flow through the attacker.

No verified public proof-of-concept exploit is available at this time. See the CERT@VDE advisory for vendor-supplied technical details.

Detection Methods for CVE-2025-25271

Indicators of Compromise

  • Unexpected changes to the configured OCPP central system URL or endpoint on CHARX SEC devices.
  • OCPP BootNotification or StatusNotification messages directed to unknown or non-corporate domains.
  • Outbound WebSocket connections from charger management VLANs to unapproved destinations.
  • Unrecognized configuration write operations against the CHARX SEC management interface.

Detection Strategies

  • Baseline the OCPP backend URL on every CHARX SEC controller and alert on configuration drift.
  • Inspect network flows from EV charging VLANs for new outbound TLS or WebSocket destinations.
  • Correlate charger configuration changes with authorized change-management tickets.

Monitoring Recommendations

  • Forward charger logs and network telemetry to a centralized SIEM with OT-aware parsers.
  • Monitor adjacent network segments for unauthenticated HTTP/HTTPS calls to the CHARX configuration interface.
  • Track OCPP session establishment events and compare backend fingerprints against an allowlist.

How to Mitigate CVE-2025-25271

Immediate Actions Required

  • Apply the firmware update referenced in VDE-2025-019 on all affected CHARX SEC-3000/3050/3100/3150 units.
  • Restrict network access to the charger configuration interface using firewalls and VLAN segmentation.
  • Audit the OCPP backend URL on every device and reset any unauthorized changes.
  • Rotate any credentials or shared secrets used between chargers and the central management system.

Patch Information

Phoenix Contact has published mitigation guidance through CERT@VDE in advisory VDE-2025-019. Operators should consult the advisory for the fixed firmware versions and apply the vendor-supplied update.

Workarounds

  • Place CHARX SEC controllers on an isolated management VLAN reachable only by authorized engineering hosts.
  • Block inbound access to the configuration interface from untrusted adjacent networks using ACLs or firewall rules.
  • Require VPN or jump-host access for any administrative interaction with charger management interfaces.
  • Disable or restrict the configuration service when not actively in use for provisioning.
bash
# Example firewall rule restricting CHARX SEC management interface to a jump host
# Replace <CHARGER_IP> and <ADMIN_HOST_IP> with environment-specific values
iptables -A FORWARD -s <ADMIN_HOST_IP> -d <CHARGER_IP> -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d <CHARGER_IP> -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.