CVE-2025-25270 PUBLISHED

Remote Code Execution via Unauthenticated Configuration Manipulation

Assigner: CERTVDE
Reserved: 06.02.2025 Published: 08.07.2025 Updated: 08.07.2025

An unauthenticated remote attacker can alter the device configuration in a way to get remote code execution as root with specific configurations.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Product Status

Vendor Phoenix Contact
Product CHARX SEC-3150
Versions Default: unaffected
  • affected from 0.0.0 to 1.7.3 (excl.)
Vendor Phoenix Contact
Product CHARX SEC-3100
Versions Default: unaffected
  • affected from 0.0.0 to 1.7.3 (excl.)
Vendor Phoenix Contact
Product CHARX SEC-3050
Versions Default: unaffected
  • affected from 0.0.0 to 1.7.3 (excl.)
Vendor Phoenix Contact
Product CHARX SEC-3000
Versions Default: unaffected
  • affected from 0.0.0 to 1.7.3 (excl.)

Credits

  • Tobias Scharnowski finder
  • Felix Buchmann finder
  • Kristian Covic finder

References

Problem Types

  • CWE-913 Improper Control of Dynamically-Managed Code Resources CWE