CVE-2026-41032
Unauthenticated Adjacent Access to Controller Log Files
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phoenix_contact | charx_sec-3000 | * |
| phoenix_contact | charx_sec-3050 | * |
| phoenix_contact | charx_sec-3100 | * |
| phoenix_contact | charx_sec-3150 | to 1.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41032 is a vulnerability in the firmware of Phoenix Contact's CHARX SEC-3xxx charging controllers that allows an unauthenticated adjacent attacker to download log files from the controller.
These log files may contain restricted information, potentially exposing sensitive data to unauthorized parties.
The vulnerability affects multiple models including CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 running firmware versions prior to 1.9.0.
It has a high severity rating with a CVSS v3.1 base score of 7.5, primarily impacting confidentiality.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an unauthenticated attacker who is adjacent on the network to access and download log files from the affected charging controllers.
Since these log files may contain restricted or sensitive information, their exposure could lead to unauthorized disclosure of confidential data.
The vulnerability does not affect the integrity or availability of the device, but the confidentiality impact is considered high.
To reduce risk, it is recommended to use these devices only in closed industrial networks protected by a firewall and to upgrade the firmware to version 1.9.0 or later, which fixes the issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an unauthenticated attacker to download log files containing potentially restricted information, which could lead to unauthorized disclosure of sensitive data.
Such unauthorized exposure of sensitive information may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding confidential data against unauthorized access.
Mitigation measures include upgrading the firmware to version 1.9.0 or later and using the devices only within closed industrial networks protected by firewalls to reduce the risk of data exposure.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2026-41032, it is recommended to upgrade the firmware of affected Phoenix Contact CHARX SEC-3xxx charging controllers to version 1.9.0 or later, which resolves the issue.
Additionally, these devices should be used exclusively in closed industrial networks protected by a firewall to reduce the risk of exploitation by unauthenticated adjacent attackers.