Latest Phoenix Contact vulnerabilities #

In July 2025, Phoenix Contact disclosed vulnerabilities in certain models and versions of their AC charging controller and Programmable Logic Controller (PLC) firmware.


    July 2025: AC charging controller vulnerabilities #

    Nine vulnerabilities have been disclosed, across two advisories VDE-2025-019 and VDE-2025-014, in certain models and versions of Phoenix Contact CHARX SEC-3XXX series AC charging controller firmware.

    • An unauthenticated remote adversary can alter the device configuration in a way to achieve remote code execution as the root user with specific configurations. This vulnerability has been designated CVE-2025-25270 and has been rated critical with a CVSS score of 9.8.
    • An unauthenticated adjacent adversary can modify device configuration by sending specific requests to an API endpoint resulting in read and write access due to missing authentication. This vulnerability has been designated CVE-2025-25268 and has been rated high with a CVSS score of 8.8.
    • An unauthenticated adjacent adversary can configure a new OCPP backend due to insecure defaults for the configuration interface. This vulnerability has been designated CVE-2025-25271 and has been rated high with a CVSS score of 8.8.
    • An unauthenticated local adversary can inject a command that is subsequently executed as the root user, leading to a privilege escalation. This vulnerability has been designated CVE-2025-25269 and has been rated high with a CVSS score of 8.4.
    • An unauthenticated remote adversary can use MQTT messages to trigger out-of-bounds writes in charging stations complying with German Calibration Law, resulting in a loss of integrity for only EichrechtAgents and potential denial-of-service (DoS) for these stations. This vulnerability has been designated CVE-2025-24003 and has been rated high with a CVSS score of 8.2.
    • A local adversary with a local user account can leverage a vulnerable script via SSH to escalate privileges to root due to improper input validation. This vulnerability has been designated CVE-2025-24005 and has been rated high with a CVSS score of 7.8.
    • A low-privileged local adversary can leverage insecure permissions via SSH on the affected devices to escalate privileges to root. This vulnerability has been designated CVE-2025-24006 and has been rated high with a CVSS score of 7.8.
    • An unauthenticated remote adversary can use MQTT messages to crash a service on charging stations complying with German Calibration Law, resulting in a temporary denial-of-service (DoS) for the stations until they are restarted by the watchdog service. This vulnerability has been designated CVE-2025-24002 and has been rated medium with a CVSS score of 5.3.
    • An adversary with physical access to the device can send a message to the device via the USB-C configuration interface which triggers an unsecure copy to a buffer resulting in loss of integrity and a temporary denial-of-service (DoS) for the stations until they are restarted by the watchdog service. This vulnerability has been designated CVE-2025-24004 and has been rated medium with a CVSS score of 5.3.

    The following models and versions are affected

    • CHARX SEC-3000 firmware versions before 1.7.3
    • CHARX SEC-3050 firmware versions before 1.7.3
    • CHARX SEC-3100 firmware versions before 1.7.3
    • CHARX SEC-3150 firmware versions before 1.7.3
    • CHARX SEC-3000 firmware versions through 1.6.5
    • CHARX SEC-3050 firmware versions through 1.6.5
    • CHARX SEC-3100 firmware versions through 1.6.5
    • CHARX SEC-3150 firmware versions through 1.6.5

    What is the impact? #

    Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable device, potentially leading to complete system compromise.

    Are any updates or workarounds available? #

    Phoenix Contact has released updates to fix most of these issues. Users are encouraged to update to the latest firmware version 1.7.3 as quickly as possible, which fixes all but three vulnerabilities (CVE-2025-24002CVE-2025-24003 and CVE-2025-24004) related to the German Calibration Law (Eichrecht) functionality in firmware versions through 1.6.5. There is no vendor planned fix for these three issues.

    • CHARX SEC-3000 upgrade to firmware version 1.7.3 or later
    • CHARX SEC-3050 upgrade to firmware version 1.7.3 or later
    • CHARX SEC-3100 upgrade to firmware version 1.7.3 or later
    • CHARX SEC-3150 upgrade to firmware version 1.7.3 or later

    How to find affected Phoenix Contact AC charging controllers with runZero #

    From the Asset Inventory, use the following query to locate potentially impacted assets:

    hw:="Phoenix Contact CHARX SEC-3000" OR hw:="Phoenix Contact CHARX SEC-3050" OR hw:="Phoenix Contact CHARX SEC-3100" OR hw:="Phoenix Contact CHARX SEC-3150"

    July 2025: Programmable Logic Controller vulnerabilities #

    Four vulnerabilities have been disclosed in certain models and versions of Phoenix Contact Programmable Logic Controller (PLC) PLCnext firmware.

    • A low-privileged remote adversary is able to trigger the watchdog service to reboot the device due to incorrect default permissions of a config file. The vulnerability may be used to perform denial-of-service (DoS) attacks against the device or to gain unauthorized access by triggering the vulnerabilities identified below. This vulnerability has been designated CVE-2025-41665 and has been rated medium with a CVSS score of 6.5.
    • A low-privileged remote adversary with file access is able to replace a critical file used by the watchdog service. Once the watchdog service has been initialized the adversary gains read, write and execute permissions to the whole file system on the device. This vulnerability has been designated CVE-2025-41666 and has been rated high with a CVSS score of 8.8.
    • A low-privileged remote adversary with file access is able to replace a critical file used by the arp-preinit script. Through replacing the critical file the adversary gains read, write and execute permissions to the whole file system on the device. This vulnerability has been designated CVE-2025-41667 and has been rated high with a CVSS score of 8.8.
    • A low-privileged remote adversary with file access is able to replace a critical file or directory used by the security-profile service. Through replacing the critical file or directory the adversary gains read, write and execute permissions to the whole file system on the device. This vulnerability has been designated CVE-2025-41668 and has been rated high with a CVSS score of 8.8.
    • In addition, multiple vulnerabilities exist in Linux components within the device firmware. Please refer to VDE-2025-053 for the extensive list.

    The following models and versions are affected:

    • AXC F 1152 firmware versions before 2025.0.2
    • AXC F 2152 firmware versions before 2025.0.2
    • AXC F 3152 firmware versions before 2025.0.2
    • BPC 9102S firmware versions before 2025.0.2
    • RFC 4072S firmware versions before 2025.0.2

      What is the impact? #

      Successful exploitation of CVE-2025-41665 would allow an adversary to perform denial-of-service (DoS) attacks against the device, but in combination with CVE-2025-41666CVE-2025-41667 or CVE-2025-41668 an adversary may gain full control over the device.

      Are any updates or workarounds available? #

      Phoenix Contact has released updates to fix these issues. Users are encouraged to update to the latest firmware version as quickly as possible.

      • AXC F 1152 upgrade to firmware version 2025.0.2 or later
      • AXC F 2152 upgrade to firmware version 2025.0.2 or later
      • AXC F 3152 upgrade to firmware version 2025.0.2 or later
      • BPC 9102S upgrade to firmware version 2025.0.2 or later
      • RFC 4072S upgrade to firmware version 2025.0.2 or later

        How to find affected Phoenix Contact PLC devices with runZero #

        From the Asset Inventory, use the following query to locate potentially impacted assets:

        hw:="Phoenix Contact AXC F 1152" OR hw:="Phoenix Contact AXC F 2152" OR hw:="Phoenix Contact AXC F 3152" OR hw:="Phoenix Contact BPC 9102S" OR hw:="Phoenix Contact RFC 4072S"

        Written by Matthew Kienow

        Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

        More about Matthew Kienow
        Subscribe Now

        Get the latest news and expert insights delivered in your inbox.

        Welcome to the club! Your subscription to our newsletter is successful.

        See Results in Minutes

        See & secure your total attack surface. Even the unknowns & unmanageable.