Critical Flaws in Phoenix Contact EV Charging Controllers Expose Infrastructure to Remote Code Execution and Unauthorized Access

In a coordinated disclosure with CERT@VDE, Phoenix Contact GmbH & Co. KG has issued an urgent advisory addressing four critical and high-severity vulnerabilities in the firmware of its CHARX SEC-3xxx series electric vehicle (EV) charging controllers. These vulnerabilities could allow unauthenticated attackers to gain remote root access, modify backend configurations, or escalate privileges via local interfaces.

According to the advisory, these flaws “can lead to a total loss of confidentiality, integrity and availability of the devices” if left unpatched.

CVE-2025-25270 (CVSS 9.8) – Remote Code Execution as Root

The most critical issue allows an unauthenticated remote attacker to alter the device configuration in a way that enables remote code execution with root privileges. This scenario is especially dangerous in specific deployment configurations, potentially giving attackers full control over the EV charger.

“An unauthenticated remote attacker can alter the device configuration in a way to get remote code execution as root with specific configurations,” the advisory warns.

CVE-2025-25268 (CVSS 8.8) – Unauthorized Configuration via API

A second flaw permits an unauthenticated adjacent attacker to modify system configuration through a vulnerable API endpoint lacking authentication controls. Exploitation leads to read and write access to the system.

“An unauthenticated adjacent attacker can modify configuration by sending specific requests to an API-endpoint resulting in read and write access due to missing authentication.”

CVE-2025-25271 (CVSS 8.8) – Insecure OCPP Backend Reconfiguration

This vulnerability allows unauthenticated attackers within network range to reconfigure the Open Charge Point Protocol (OCPP) backend, due to insecure defaults in the configuration interface. Attackers could redirect data to malicious backends or disconnect the charger from its intended operator.

“An unauthenticated adjacent attacker is able to configure a new OCPP backend, due to insecure defaults for the configuration interface.”

CVE-2025-25269 (CVSS 8.4) – Local Privilege Escalation

The fourth vulnerability enables a local attacker to inject a command that is later executed as root, enabling unauthorized privilege escalation.

“An unauthenticated local attacker can inject a command that is subsequently executed as root, leading to a privilege escalation.”

Affected Products

The following Phoenix Contact CHARX SEC-3xxx models are vulnerable if running firmware versions earlier than 1.7.3:

• CHARX SEC-3000
• CHARX SEC-3050
• CHARX SEC-3100
• CHARX SEC-3150

Mitigation and Recommendations

While these controllers are intended for deployment in closed industrial networks, Phoenix Contact strongly urges customers to:

• Use the devices only within closed networks
• Apply network segmentation and firewall protection
• Immediately upgrade firmware to version 1.7.3, which addresses all four vulnerabilities

Related Posts:

• Critical Vulnerabilities Found in Phoenix Contact Charging Controllers
• Phoenix Contact Industrial Switch Exposes High Risk Vulnerabilities
• The Escalating Threat of the EV Code Signing Certificate Black Market
• Veritas Enterprise Vault Vulnerability Could Allow Remote Code Execution
• From Charging to Hijacking: The Autel MaxiCharger Vulnerability