CVE-2025-24002 is a medium-severity vulnerability identified in the Phoenix Contact CHARX SEC-3150 charging stations, which are compliant with the German Calibration Law. The vulnerability arises from improper input validation (CWE-20) in the handling of MQTT messages by the device. Specifically, an unauthenticated remote attacker can send crafted MQTT messages to the charging station, causing a service crash. This crash results in a temporary denial-of-service (DoS) condition, rendering the charging station non-operational until it is automatically restarted by an internal watchdog mechanism. The vulnerability does not impact confidentiality or integrity but affects availability. The CVSS v3.1 score is 5.3, reflecting ease of exploitation (network vector, no privileges or user interaction required) but limited impact scope and severity. No known exploits are currently reported in the wild, and no patches have been published yet. The affected product version is listed as 0.0.0, which likely indicates all current versions or an unspecified version. The vulnerability is significant because it targets charging infrastructure critical for electric vehicle (EV) operations, especially in Germany where calibration compliance is mandatory. The use of MQTT, a common IoT messaging protocol, expands the attack surface to network-exposed interfaces, increasing the risk of remote exploitation without authentication.

For European organizations, particularly those operating EV charging infrastructure, this vulnerability poses a risk of service disruption. Charging stations affected by this flaw can be temporarily disabled remotely, causing inconvenience to EV users and potential financial losses for operators due to downtime. In critical infrastructure scenarios, such as public charging networks or fleet management, repeated or coordinated exploitation could degrade service reliability and customer trust. Although the impact is limited to availability and does not compromise data confidentiality or integrity, the disruption of charging services can have cascading effects on transportation and energy management systems. The fact that the vulnerability requires no authentication and can be triggered remotely increases the threat level, especially in environments where network segmentation or MQTT message filtering is insufficient. European organizations must consider the operational impact, regulatory compliance implications, and potential reputational damage resulting from service outages caused by this vulnerability.

Given the absence of an official patch, organizations should implement network-level controls to mitigate risk. This includes restricting MQTT traffic to trusted sources only, employing network segmentation to isolate charging station management interfaces from public or untrusted networks, and deploying MQTT message filtering or validation proxies to detect and block malformed or suspicious messages. Monitoring MQTT traffic for anomalies and implementing rate limiting can reduce the risk of DoS attempts. Additionally, organizations should ensure watchdog and automatic restart mechanisms are functioning correctly to minimize downtime. Engaging with Phoenix Contact for timely patch releases and applying updates promptly once available is critical. Furthermore, conducting regular security assessments of IoT and charging infrastructure, including penetration testing focused on MQTT interfaces, will help identify and remediate similar vulnerabilities proactively.