VDE-2024-022

Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2024-08-13 10:00 - Updated: 2025-08-27 10:00
Summary
Phoenix Contact: Security Advisory for CHARX-SEC3xxx Charge controllers
Severity
High
Notes
Summary: Start sequence for firewall service allows attack during the boot process. Password is reset to default when the device undergoes a firmware upgrade.
Impact: These vulnerabilities may allow an attacker within the network to change the device configuration through an unauthenticated internal service before the firewall is started during boot process. The second vulnerability may allow an local attacker to use the firmware update feature to reset the user-app accounts password to the dafault value that is documented in the product documentation. The user "user-app" has limited access rights.
Mitigation: Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to General Recommendation.
Remediation: Phoenix Contact strongly recommends upgrading affected charge controllers to firmware version 1.6.3 or higher which fixes these vulnerabilities.
General Recommendation: For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: [Application Note Security](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf)
Product Description: CHARX control modular AC are charging controllers for mode 3 electric vehicle charging.
CVE-2024-3913
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-552 - Files or Directories Accessible to External Parties
Vendor Fix Phoenix Contact strongly recommends upgrading affected charge controllers to firmware version 1.6.3 or higher which fixes these vulnerabilities.
Workaround Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to General Recommendation.
CVE-2024-6788
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CWE-1392 - Use of Default Credentials
Vendor Fix Phoenix Contact strongly recommends upgrading affected charge controllers to firmware version 1.6.3 or higher which fixes these vulnerabilities.
Workaround Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to General Recommendation.
References
Acknowledgments
CERTVDE certvde.com
Trend Micro's Zero Day Initiative Alex Olson, "gadha" www.zerodayinitiative.com/
NCC Group McCaulay Hudson Alexander Plaskett www.nccgroup.com/
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERTVDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          "Alex Olson, \"gadha\""
        ],
        "organization": "Trend Micro\u0027s Zero Day Initiative",
        "summary": "reporting",
        "urls": [
          "https://www.zerodayinitiative.com/"
        ]
      },
      {
        "names": [
          "McCaulay Hudson",
          "Alexander Plaskett"
        ],
        "organization": "NCC Group",
        "summary": "reporting",
        "urls": [
          "https://www.nccgroup.com/"
        ]
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
      "text": "high"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "Start sequence for firewall service allows attack during the boot process. Password is reset to default when the device undergoes a firmware upgrade.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "These vulnerabilities may allow an attacker within the network to change the device configuration through an unauthenticated internal service before the firewall is started during boot process. The second vulnerability may allow an local attacker to use the firmware update feature to reset the user-app accounts password to the dafault value that is documented in the product documentation. The user \"user-app\" has limited access rights.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Phoenix Contact recommends operating network-capable devices in closed networks or\nprotected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to General Recommendation.",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "Phoenix Contact strongly recommends upgrading affected charge controllers to firmware\nversion 1.6.3 or higher which fixes these vulnerabilities.",
        "title": "Remediation"
      },
      {
        "category": "general",
        "text": "For general information and recommendations on security measures to protect network-enabled\ndevices, refer to the application note: [Application Note Security](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf)",
        "title": "General Recommendation"
      },
      {
        "category": "description",
        "text": "CHARX control modular AC are charging controllers for mode 3 electric vehicle charging. ",
        "title": "Product Description"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@phoenixcontact.com",
      "name": "Phoenix Contact GmbH \u0026 Co. KG",
      "namespace": "https://phoenixcontact.com/psirt"
    },
    "references": [
      {
        "category": "external",
        "summary": "2024/00003: ",
        "url": "https://phoenixcontact.com/psirt"
      },
      {
        "category": "external",
        "summary": "Phoenix Contact advisory overview at CERT@VDE",
        "url": "https://certvde.com/de/advisories/vendor/phoenixcontact/"
      },
      {
        "category": "external",
        "summary": "Phoenix Contact application note",
        "url": "https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf"
      },
      {
        "category": "self",
        "summary": "VDE-2024-022: Phoenix Contact: Security Advisory for CHARX-SEC3xxx Charge controllers - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2024-022/"
      },
      {
        "category": "self",
        "summary": "VDE-2024-022: Phoenix Contact: Security Advisory for CHARX-SEC3xxx Charge controllers - CSAF",
        "url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2024/vde-2024-022.json"
      }
    ],
    "title": "Phoenix Contact: Security Advisory for CHARX-SEC3xxx Charge controllers",
    "tracking": {
      "aliases": [
        "VDE-2024-022",
        "2024/00003"
      ],
      "current_release_date": "2025-08-27T10:00:00.000Z",
      "generator": {
        "date": "2025-08-28T07:35:50.642Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.34"
        }
      },
      "id": "VDE-2024-022",
      "initial_release_date": "2024-08-13T10:00:00.000Z",
      "revision_history": [
        {
          "date": "2024-08-13T10:00:00.000Z",
          "number": "1.0.0",
          "summary": "initial revision"
        },
        {
          "date": "2025-03-14T11:30:00.000Z",
          "number": "1.0.1",
          "summary": "Fix: typo in version"
        },
        {
          "date": "2025-05-22T13:03:10.000Z",
          "number": "1.0.2",
          "summary": "Fix: added distribution, quotation mark"
        },
        {
          "date": "2025-08-27T10:00:00.000Z",
          "number": "1.1.2",
          "summary": "Update: CWE from CVE-2024-6788, Revision History"
        }
      ],
      "status": "final",
      "version": "1.1.2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "CHARX SEC-3000",
                "product": {
                  "name": "CHARX SEC-3000",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1139022"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "CHARX SEC-3050",
                "product": {
                  "name": "CHARX SEC-3050",
                  "product_id": "CSAFPID-11002",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1139018"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "CHARX SEC-3100",
                "product": {
                  "name": "CHARX SEC-3100",
                  "product_id": "CSAFPID-11003",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1139012"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "CHARX SEC-3150",
                "product": {
                  "name": "CHARX SEC-3150",
                  "product_id": "CSAFPID-11004",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1138965"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.6.3",
                "product": {
                  "name": "Firmware \u003c1.6.3",
                  "product_id": "CSAFPID-21001"
                }
              },
              {
                "category": "product_version",
                "name": "1.6.3",
                "product": {
                  "name": "Firmware 1.6.3",
                  "product_id": "CSAFPID-22001"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "Phoenix Contact"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ],
        "summary": "Affected Products."
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004"
        ],
        "summary": "Fixed Products."
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c1.6.3 installed on CHARX SEC-3000",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c1.6.3 installed on CHARX SEC-3050",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c1.6.3 installed on CHARX SEC-3100",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c1.6.3 installed on CHARX SEC-3150",
          "product_id": "CSAFPID-31004"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 1.6.3 installed on CHARX SEC-3000",
          "product_id": "CSAFPID-32001"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 1.6.3 installed on CHARX SEC-3050",
          "product_id": "CSAFPID-32002"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 1.6.3 installed on CHARX SEC-3100",
          "product_id": "CSAFPID-32003"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 1.6.3 installed on CHARX SEC-3150",
          "product_id": "CSAFPID-32004"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11004"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-3913",
      "cwe": {
        "id": "CWE-552",
        "name": "Files or Directories Accessible to External Parties"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthenticated remote attacker can use this vulnerability to change the device configuration due to a file writeable for short time after system startup.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "release_date": "2024-08-13T10:00:00.000Z",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Phoenix Contact strongly recommends upgrading affected charge controllers to firmware\nversion 1.6.3 or higher which fixes these vulnerabilities.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "workaround",
          "details": "Phoenix Contact recommends operating network-capable devices in closed networks or\nprotected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to General Recommendation.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "environmentalScore": 7.5,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "CVE-2024-3913"
    },
    {
      "cve": "CVE-2024-6788",
      "cwe": {
        "id": "CWE-1392",
        "name": "Use of Default Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A remote unauthenticated attacker can use the firmware update feature on the LAN interface of the device to reset the password for the predefined, low-privileged user \u0027user-app\u0027 to the default password.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "release_date": "2024-08-13T10:00:00.000Z",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Phoenix Contact strongly recommends upgrading affected charge controllers to firmware\nversion 1.6.3 or higher which fixes these vulnerabilities.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "workaround",
          "details": "Phoenix Contact recommends operating network-capable devices in closed networks or\nprotected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to General Recommendation.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "environmentalScore": 8.6,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 8.6,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "CVE-2024-6788"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.