Insecure Configuration Interface in OCPP Backend by a Leading Vendor
CVE-2025-25271
What is CVE-2025-25271?
CVE-2025-25271 is a significant vulnerability found in the OCPP (Open Charge Point Protocol) backend developed by Phoenix Contact, a known vendor in the field of industrial automation and electric vehicle charging solutions. This vulnerability stems from an insecure configuration interface that can be manipulated by an unauthenticated adjacent attacker. Specifically, the issue arises from default settings that do not adequately secure the configuration interface, allowing unauthorized users to set up a new OCPP backend. The implications for organizations are severe; if exploited, this vulnerability could lead to unauthorized access, manipulation of charging stations, or disruption of electric vehicle charging services, thereby affecting both operational continuity and the integrity of the network.
Potential Impact of CVE-2025-25271
-
Unauthorized Configuration Changes: Attackers can exploit the insecure configuration interface to make unauthorized adjustments to charge point settings, potentially leading to service disruptions and manipulated charging operations.
-
Network Compromise: By configuring a rogue OCPP backend, attackers may gain access to sensitive data or systems interconnected with the charging network. This could facilitate further attacks within the organization or on related infrastructures.
-
Service Downtime: The exploitation of this vulnerability could result in significant downtime for electric vehicle charging services, affecting customer trust and causing financial losses for operators who rely on these services for revenue generation.
Affected Version(s)
CHARX SEC-3000 0.0.0 < 1.7.3
CHARX SEC-3050 0.0.0 < 1.7.3
CHARX SEC-3100 0.0.0 < 1.7.3