Phoenix Contact: Security Advisory for CHARX-SEC3xxx Charge controllers

Plan PatchCVSS 8.6VDE-2024-022Aug 13, 2024

Phoenix Contact

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 charge controllers contain two vulnerabilities: (1) the firewall service starts late in the boot sequence, leaving the device briefly exposed to unauthenticated network access during startup; (2) the device resets the administrator password to a default value when undergoing firmware upgrades, allowing an attacker who observes or triggers an upgrade to take control of the device. Both issues can lead to unauthorized device access and modification of charging operations.

What this means

What could happen

An attacker could exploit firewall configuration gaps during device boot to gain unauthorized access, or reset administrator credentials during a firmware upgrade, potentially allowing full control of the charge controller and the EV charging infrastructure it manages.

Who's at risk

EV charging infrastructure operators and facilities deploying Phoenix Contact CHARX SEC-3xxx charge controller series. This affects charging networks in commercial, municipal, and utility settings that rely on these controllers for power management and charging operations.

How it could be exploited

An attacker on the network could intercept the CHARX device during boot before the firewall service fully starts, allowing unfiltered access to the device. Alternatively, if an attacker can trigger or observe a firmware upgrade, they could reset the admin password to its default value and use that to access the device remotely.

Prerequisites

Network connectivity to the CHARX device port (IP-based access)
For boot-sequence exploit: ability to send traffic during device startup
For firmware reset exploit: ability to observe or trigger a firmware upgrade process

remotely exploitableno authentication required (boot sequence exploit)low complexityhigh CVSS score (8.6)affects EV charging infrastructure availability

Exploitability

Some exploitation risk — EPSS score 3.9%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

CHARX SEC-3000<1.6.31.6.3

CHARX SEC-3050<1.6.31.6.3

CHARX SEC-3100<1.6.31.6.3

CHARX SEC-3150<1.6.31.6.3

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to CHARX devices using firewall rules: block inbound access to the device management ports from untrusted networks or the internet

HARDENINGChange default administrator credentials on all CHARX devices immediately after any firmware upgrade

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

CHARX SEC-3000

HOTFIXUpdate all CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 charge controllers to firmware version 1.6.3 or higher

Long-term hardening

0/1

HARDENINGPlace CHARX charge controllers on a segregated network or VLAN separate from general IT networks to limit attacker reach

CVEs (2)

CVE-2024-3913 CVE-2024-6788

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/903fd8cc-3691-4340-a6b2-8d7f58420342

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.