Remote Code Execution Vulnerability in Configuration
CVE-2024-25995

9.8CRITICAL

Key Information:

Vendor: Phoenix Contact
Status: Charx Sec-3000; Charx Sec-3050; Charx Sec-3100; Charx Sec-3150
Vendor: CVE Published:; 12 March 2024

Summary

An unauthenticated remote attacker has the ability to exploit a specific function within Vendor's software due to the absence of required authentication. This weakness allows for the manipulation of configuration settings, which can pave the way for executing arbitrary code remotely. Organizations using affected versions should implement immediate security measures to mitigate the risk associated with this vulnerability.

Affected Version(s)

CHARX SEC-3000 0 <= 1.5.0

CHARX SEC-3050 0 <= 1.5.0

CHARX SEC-3100 0 <= 1.5.0

References

https://cert.vde.com/en/advisories/VDE-2024-011

vendor-advisory

https://www.zerodayinitiative.com/advisories/ZDI-24-856/

third-party-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 12, 2024
Vulnerability Reserved
Feb 14, 2024

Credit

Alex Plaskett of NCC Group

McClaulay Hudson of NCC Group