CVE-2025-25270 | An unauthenticated remote attacker can alter the device conf… | CVSS 9.8 CRITICAL

Description

An unauthenticated remote attacker can alter the device configuration in a way to get remote code execution as root with specific configurations.

CVE ID: CVE-2025-25270
State: PUBLISHED
Assigner: CERTVDE
Reserved: 2025-02-06 13:19 UTC
Published: 2025-07-08 07:00 UTC
Last updated: 2025-07-08 14:28 UTC
Primary CWE: CWE-913
CWE-913 Improper Control of Dynamically-Managed Code Resourc…
Vendor / Product: Phoenix Contact / CHARX SEC-3150
Sources: cve.org · NVD

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Affected products (4)

Vendor	Product	Platform	Versions
Phoenix Contact	CHARX SEC-3000	—	0.0.0 < 1.7.3
Phoenix Contact	CHARX SEC-3050	—	0.0.0 < 1.7.3
Phoenix Contact	CHARX SEC-3100	—	0.0.0 < 1.7.3
Phoenix Contact	CHARX SEC-3150	—	0.0.0 < 1.7.3

Weakness (CWE)

CWE	Source	Description
CWE-913	cna	CWE-913 Improper Control of Dynamically-Managed Code Resources

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)