Cyber Resilience

CVE-2025-25271

High

Published: 08 July 2025

Published
08 July 2025
Modified
11 July 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25271 is a high-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Phoenixcontact Charx Sec-3000 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-25271 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) caused by insecure defaults in a configuration interface, enabling an unauthenticated adjacent attacker to configure a new OCPP backend. The issue is linked to CWE-1188 (Implementation of a security check). It affects components handling OCPP, the Open Charge Point Protocol commonly used in electric vehicle charging infrastructure.

An adjacent attacker on the local network (AV:A) can exploit this without authentication (PR:N), user interaction (UI:N), or high complexity (AC:L). Successful exploitation grants high confidentiality, integrity, and availability impacts (C:I:A:H), potentially allowing full reconfiguration of the OCPP backend for malicious purposes such as data interception, command injection, or service disruption.

The primary advisory, VDE-2025-019 from CERT VDE (https://certvde.com/de/advisories/VDE-2025-019), details the vulnerability and likely includes mitigation guidance, such as securing the configuration interface or applying vendor patches.

EU & UK References

Vulnerability details

An unauthenticated adjacent attacker is able to configure a new OCPP backend, due to insecure defaults for the configuration interface.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Unauthenticated adjacent exploitation of OCPP config interface directly enables remote service exploitation (T1210) and public/adjacent-facing app compromise (T1190) for backend reconfiguration, command injection and disruption.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-25270Same product: Phoenixcontact Charx Sec-3000
CVE-2025-24003Same product: Phoenixcontact Charx Sec-3000
CVE-2025-25269Same product: Phoenixcontact Charx Sec-3000
CVE-2026-32965Shared CWE-1188
CVE-2025-69970Shared CWE-1188
CVE-2026-33376Shared CWE-1188
CVE-2026-27662Shared CWE-1188
CVE-2026-31957Shared CWE-1188
CVE-2026-30805Shared CWE-1188
CVE-2026-43581Shared CWE-1188

Affected Assets

phoenixcontact
charx sec-3000 firmware
≤ 1.7.3
phoenixcontact
charx sec-3050 firmware
≤ 1.7.3
phoenixcontact
charx sec-3100 firmware
≤ 1.7.3
phoenixcontact
charx sec-3150 firmware
≤ 1.7.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Establishes and enforces secure configuration settings for system components, directly countering the insecure default settings in the configuration interface that allow unauthenticated reconfiguration of the OCPP backend.

prevent

Limits and documents actions permitted without identification or authentication, preventing unauthenticated adjacent attackers from accessing sensitive configuration functions.

prevent

Enforces approved authorizations for logical access to system resources, blocking unauthenticated attempts to configure the OCPP backend via the vulnerable interface.

References