CVE-2025-41708
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-08

Last updated on: 2025-09-08

Assigner: CERT VDE

Description
Due to an unsecure default configuration HTTP is used instead of HTTPS for the web interface. An unauthenticated attacker on the same network could exploit this to learn sensitive data during transmission.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-08
Last Modified
2025-09-08
Generated
2026-06-16
AI Q&A
2025-09-08
EPSS Evaluated
2026-06-14
NVD
CVE-2025-41708
EUVD
EUVD-2025-27115
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
bender_gmbh_and_co_kg charge_controller icc15xx
bender_gmbh_and_co_kg charge_controller icc16xx
bender_gmbh_and_co_kg charge_controller icc13xx
bender_gmbh_and_co_kg charge_controller cc612
bender_gmbh_and_co_kg charge_controller cc613
bender_gmbh_and_co_kg charge_controller *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs because the affected devices use an insecure default configuration where the web interface communicates over HTTP instead of HTTPS. This means data is transmitted in cleartext, allowing an unauthenticated attacker on the same network to intercept and access sensitive information during transmission. [1]

Impact Analysis

The vulnerability can lead to sensitive data being exposed to attackers on the same network, as they can intercept communications sent over HTTP. This compromises confidentiality and integrity of the data, potentially leading to unauthorized access or information leakage. However, it does not affect the electrical safety of the devices. [1]

Compliance Impact

This vulnerability can negatively impact compliance with standards and regulations such as GDPR and HIPAA, which require protection of sensitive data during transmission. Using HTTP instead of HTTPS means data is not adequately protected, potentially leading to violations of data protection requirements. [1]

Detection Guidance

This vulnerability can be detected by checking if the web interface of the affected Bender GmbH & Co.KG Charge Controller devices is accessible via HTTP instead of HTTPS. On your network, you can scan for devices responding on the default web interface ports (usually port 80) using tools like nmap. For example, you can run: nmap -p 80 --open <target-ip-range>. Additionally, you can use curl or a web browser to attempt to access the device's web interface via HTTP and verify if the connection is not encrypted. For example: curl -I http://<device-ip>. If the device responds over HTTP without redirecting to HTTPS, it is vulnerable. [1]

Mitigation Strategies

The immediate mitigation step is to enable HTTPS in the device settings to secure the web interface communication. This will prevent sensitive data from being transmitted in cleartext and protect against interception by unauthenticated attackers on the same network. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41708. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart