Phoenix Contact: Security Advisory for CHARX SEC-3xxx charging controllers

Plan Patch8.8VDE-2025-074Oct 14, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A code execution vulnerability exists in CHARX SEC-3xxx charging controllers. The vulnerability allows an authenticated attacker with network access to execute arbitrary code on the device, potentially compromising charging operations and equipment control. All firmware versions below 1.7.4 are affected.

What this means

What could happen

An attacker with valid credentials could execute arbitrary code on the CHARX SEC charging controller, potentially altering charging parameters, disrupting EV charging operations, or causing equipment damage.

Who's at risk

EV charging facility operators using Phoenix Contact CHARX SEC-3xxx controllers should prioritize this update. This affects municipal charging networks, fleet charging stations, and any organization operating these controllers on connected networks.

How it could be exploited

An attacker with valid engineering or operator credentials and network access to the controller's management interface could execute arbitrary code through the vulnerability, gaining control over the charging device's firmware and operational behavior.

Prerequisites

Network access to the CHARX SEC controller's management interface (port 80/443)
Valid user credentials (engineering workstation or operator account)
Controller firmware version below 1.7.4

remotely exploitablerequires valid credentialsaffects charging infrastructure availabilitylow complexity attack

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

CHARX SEC-3150<FW 1.7.4FW 1.7.4

CHARX SEC-3100<FW 1.7.4FW 1.7.4

CHARX SEC-3050<FW 1.7.4FW 1.7.4

CHARX SEC-3000<FW 1.7.4FW 1.7.4

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the controller's management interface using a firewall; only permit connections from authorized engineering workstations and monitoring systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

CHARX SEC-3000

HOTFIXUpdate CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 controllers to firmware version 1.7.4 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate EV charging controllers on a separate VLAN with restricted access from general corporate or public networks

CVEs (1)

CVE-2025-41699

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/90cb02d3-5067-444f-8e6c-ba68134170dc