CVE-2024-25995 - Vulnerability Details

An unauthenticated remote attacker can modify configurations to perform a remote code execution, gain root rights or perform an DoS due to improper input validation.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Phoenixcontact	Charx Sec-3000 Charx Sec-3000 Firmware Charx Sec-3050 Charx Sec-3050 Firmware Charx Sec-3100 Charx Sec-3100 Firmware Charx Sec-3150 Charx Sec-3150 Firmware Charx Sec 3000 Charx Sec 3050 Charx Sec 3100 Charx Sec 3150

Configuration 1 [-]

AND

cpe:2.3:o:phoenixcontact:charx_sec-3000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:charx_sec-3000:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:phoenixcontact:charx_sec-3050_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:charx_sec-3050:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:phoenixcontact:charx_sec-3100_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:charx_sec-3100:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:phoenixcontact:charx_sec-3150_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:charx_sec-3150:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cert.vde.com/en/advisories/VDE-2024-011
https://www.zerodayinitiative.com/advisories/ZDI-24-856/

History

Thu, 30 Jan 2025 11:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-306

Thu, 30 Jan 2025 11:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Phoenixcontact charx Sec 3000 Phoenixcontact charx Sec 3050 Phoenixcontact charx Sec 3100 Phoenixcontact charx Sec 3150
CPEs		cpe:2.3:a:phoenixcontact:charx_sec_3000:::::::: cpe:2.3:a:phoenixcontact:charx_sec_3050:::::::: cpe:2.3:a:phoenixcontact:charx_sec_3100:::::::: cpe:2.3:a:phoenixcontact:charx_sec_3150::::::::
Vendors & Products		Phoenixcontact charx Sec 3000 Phoenixcontact charx Sec 3050 Phoenixcontact charx Sec 3100 Phoenixcontact charx Sec 3150
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 30 Jan 2025 11:00:00 +0000

Type	Values Removed	Values Added
Description	An unauthenticated remote attacker can modify configurations to perform a remote code execution due to a missing authentication for a critical function.	An unauthenticated remote attacker can modify configurations to perform a remote code execution, gain root rights or perform an DoS due to improper input validation.
Title	PHOENIX CONTACT: Remote code execution in CHARX Series	PHOENIX CONTACT: Remote code execution in CHARX Series
Weaknesses		CWE-20
References		https://www.zerodayinitiative.com/advisories/ZDI-24-856/

Thu, 23 Jan 2025 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Phoenixcontact Phoenixcontact charx Sec-3000 Phoenixcontact charx Sec-3000 Firmware Phoenixcontact charx Sec-3050 Phoenixcontact charx Sec-3050 Firmware Phoenixcontact charx Sec-3100 Phoenixcontact charx Sec-3100 Firmware Phoenixcontact charx Sec-3150 Phoenixcontact charx Sec-3150 Firmware
CPEs		cpe:2.3:h:phoenixcontact:charx_sec-3000:-:::::::* cpe:2.3:h:phoenixcontact:charx_sec-3050:-:::::::* cpe:2.3:h:phoenixcontact:charx_sec-3100:-:::::::* cpe:2.3:h:phoenixcontact:charx_sec-3150:-:::::::* cpe:2.3:o:phoenixcontact:charx_sec-3000_firmware:::::::: cpe:2.3:o:phoenixcontact:charx_sec-3050_firmware:::::::: cpe:2.3:o:phoenixcontact:charx_sec-3100_firmware:::::::: cpe:2.3:o:phoenixcontact:charx_sec-3150_firmware::::::::
Vendors & Products		Phoenixcontact Phoenixcontact charx Sec-3000 Phoenixcontact charx Sec-3000 Firmware Phoenixcontact charx Sec-3050 Phoenixcontact charx Sec-3050 Firmware Phoenixcontact charx Sec-3100 Phoenixcontact charx Sec-3100 Firmware Phoenixcontact charx Sec-3150 Phoenixcontact charx Sec-3150 Firmware

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2024-03-12T08:10:58.302Z

Updated: 2025-01-30T10:48:21.911Z

Reserved: 2024-02-14T08:22:26.364Z

Link: CVE-2024-25995

Vulnrichment

Updated: 2024-08-01T23:52:06.490Z

NVD

Status : Modified

Published: 2024-03-12T09:15:07.343

Modified: 2025-01-30T11:15:11.290

Link: CVE-2024-25995

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object