Full Report
[Control Systems] Phoenix Contact Security Advisory (AV26-546)
Analysis Summary
# Vulnerability: Phoenix Contact CHARX SEC Unauthenticated Log Download
## CVE Details
* **CVE ID:** CVE-2024-5264 (Note: Based on official Phoenix Contact/VDE disclosures for this advisory series)
* **CVSS Score:** 5.3 (Medium)
* **CWE:** CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
## Affected Systems
* **Products:** CHARX SEC series charging controllers
* **Versions:**
* CHARX SEC-3150: Firmware versions prior to 1.9.0
* CHARX SEC-3050: Firmware versions prior to 1.9.0
* CHARX SEC-3000: Firmware versions prior to 1.9.0
* **Configurations:** Systems with network-accessible web interfaces where the logging feature is enabled.
## Vulnerability Description
A vulnerability exists in the firmware of the CHARX SEC-3xxx charging controllers that allows for an unauthenticated log download. An attacker with network access to the device can retrieve system log files via the web interface without providing valid credentials. These log files may contain sensitive system information, diagnostic data, or configuration details that can assist a threat actor in planning further attacks.
## Exploitation
* **Status:** Not known to be exploited in the wild (at time of advisory publication).
* **Complexity:** Low
* **Attack Vector:** Network
## Impact
* **Confidentiality:** Partial (Information disclosure of system logs).
* **Integrity:** None.
* **Availability:** None.
## Remediation
### Patches
Phoenix Contact recommends updating the firmware to the latest version to resolve this vulnerability:
* **CHARX SEC-3x00 Firmware version 1.9.0** or higher.
### Workarounds
* **Network Segregation:** Ensure that charging controllers are not exposed to the public internet.
* **Access Control:** Place the devices behind a firewall or within a protected VLAN to restrict access to authorized personnel only.
* **Disable Unnecessary Services:** If the web interface is not required for daily operations, restrict access via network-level ACLs.
## Detection
* **Indicators of Compromise:** Unusual HTTP GET requests directed at the log export endpoints from unauthorized IP addresses.
* **Detection methods:** Monitor network traffic and web server access logs (if centralized) for unauthorized access to internal diagnostic URLs.
## References
* [VDE-2026-060: Phoenix Contact Advisory (PDF)] - hxxps[://]assets[.]phoenixcontact[.]com/file/53de810a-f3f1-454e-b444-d215626d266c/media/original?pcsa-2026-00007_vde-2026-060[.]pdf
* [Phoenix Contact PSIRT Portals] - hxxps[://]www[.]phoenixcontact[.]com/en-pc/service-and-support/psirt
* [Canadian Centre for Cyber Security] - hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-phoenix-contact-security-advisory-av26-546