CVE-2025-41708
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-09-08
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bender_gmbh_and_co_kg | charge_controller | icc15xx |
| bender_gmbh_and_co_kg | charge_controller | icc16xx |
| bender_gmbh_and_co_kg | charge_controller | icc13xx |
| bender_gmbh_and_co_kg | charge_controller | cc612 |
| bender_gmbh_and_co_kg | charge_controller | cc613 |
| bender_gmbh_and_co_kg | charge_controller | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because the affected devices use an insecure default configuration where the web interface communicates over HTTP instead of HTTPS. This means data is transmitted in cleartext, allowing an unauthenticated attacker on the same network to intercept and access sensitive information during transmission. [1]
How can this vulnerability impact me? :
The vulnerability can lead to sensitive data being exposed to attackers on the same network, as they can intercept communications sent over HTTP. This compromises confidentiality and integrity of the data, potentially leading to unauthorized access or information leakage. However, it does not affect the electrical safety of the devices. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively impact compliance with standards and regulations such as GDPR and HIPAA, which require protection of sensitive data during transmission. Using HTTP instead of HTTPS means data is not adequately protected, potentially leading to violations of data protection requirements. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the web interface of the affected Bender GmbH & Co.KG Charge Controller devices is accessible via HTTP instead of HTTPS. On your network, you can scan for devices responding on the default web interface ports (usually port 80) using tools like nmap. For example, you can run: nmap -p 80 --open <target-ip-range>. Additionally, you can use curl or a web browser to attempt to access the device's web interface via HTTP and verify if the connection is not encrypted. For example: curl -I http://<device-ip>. If the device responds over HTTP without redirecting to HTTPS, it is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to enable HTTPS in the device settings to secure the web interface communication. This will prevent sensitive data from being transmitted in cleartext and protect against interception by unauthenticated attackers on the same network. [1]