CVE Alert: CVE-2025-41699 – Phoenix Contact – CHARX SEC-3150

**Risk verdict** High risk of remote code injection with root access via the web-based management interface; exploitation is plausible across networks where accounts exist, but active exploitation is not evidenced in the SSVC data.

**Why this matters** Compromise could give an attacker full control over device configuration, threatening availability and integrity of charging operations and plant safety. The impact can disrupt services, cause equipment outages, and create regulatory or safety compliance risks across an industrial environment.

**Most likely attack path** An attacker with a valid web UI account can reach the device over the network. Weak input handling enables command injection to achieve root, with no user interaction required and low privileges needed. Because the scope is unchanged, the attacker’s effects are confined to the compromised device but could be extended to other devices on the same management network if interfaces are shared.

**Who is most exposed** Environments where web management is reachable from enterprise networks, VPNs, or the public internet, and where multiple devices share management interfaces or credentials. Common in OT/industrial sites with limited segmentation and remote maintenance access.

Detection ideas

• Unusual root-level processes or shell activity from the web UI.
• Unexpected configuration changes shortly after login from unfamiliar IPs.
• Web UI logs showing command execution or injection attempts.
• Anomalous authentication events or failed login bursts to the management interface.
• Sudden drops in device availability after web-management access.

Mitigation and prioritisation

• Apply the vendor patch to 1.7.4+ or the latest advised firmware immediately.
• Enforce MFA for web management, restrict access to trusted networks/VPN, and segment OT from IT.
• Disable or strongly restrict remote web management unless explicitly required.
• Review and harden input validation; consider a WAF or application-layer controls.
• Change-management: monitor for configuration changes and credential misuse; conduct an incident-response drill. If KEV or EPSS indicates higher urgency, tier accordingly.