CVE-2025-24003 is a high-severity buffer overflow vulnerability (CWE-120) affecting the Phoenix Contact CHARX SEC-3150 charging stations that comply with the German Calibration Law (Eichrecht). The vulnerability arises from improper handling of MQTT messages, where the device performs a buffer copy operation without verifying the size of the input data. This unchecked buffer copy can lead to out-of-bounds writes, allowing an unauthenticated remote attacker to corrupt memory regions. The primary impact is a loss of integrity specifically for the EichrechtAgents component, which is responsible for ensuring compliance with calibration regulations. Additionally, the vulnerability can cause denial-of-service (DoS) conditions, potentially rendering the charging stations inoperable. The vulnerability does not impact confidentiality but affects integrity and availability. Exploitation requires no authentication or user interaction and can be performed remotely over the network via MQTT, a common protocol for IoT and industrial devices. Although no known exploits are currently reported in the wild, the CVSS score of 8.2 reflects the ease of exploitation combined with the significant impact on system integrity and availability. The CHARX SEC-3150 is a specialized charging station product used in regulated environments, particularly in Germany, to ensure compliance with calibration laws for electric vehicle charging. The vulnerability highlights risks in IoT and industrial control systems where buffer overflows can lead to critical operational disruptions and regulatory compliance failures.

For European organizations, especially those operating electric vehicle charging infrastructure in Germany and neighboring countries, this vulnerability poses a significant risk. The loss of integrity in EichrechtAgents could lead to incorrect calibration data or failure to meet legal metrology requirements, potentially resulting in regulatory penalties and loss of trust. The denial-of-service impact could disrupt charging services, affecting business continuity and customer satisfaction. Given the increasing adoption of electric vehicles and the regulatory emphasis on accurate metering, compromised charging stations could have cascading effects on energy management and billing systems. Organizations relying on these devices may face operational downtime, increased maintenance costs, and reputational damage. Furthermore, since the vulnerability is exploitable remotely without authentication, attackers could target multiple stations en masse, amplifying the impact across regions. The threat also underscores the broader risk to critical infrastructure components that integrate IoT protocols like MQTT without robust input validation.

To mitigate this vulnerability, European organizations should prioritize the following actions: 1) Immediate deployment of firmware updates or patches from Phoenix Contact once available; since no patch links are currently provided, organizations should maintain close contact with the vendor for updates. 2) Implement network segmentation to isolate charging stations from broader corporate or public networks, limiting exposure to MQTT traffic from untrusted sources. 3) Employ MQTT broker authentication and encryption (e.g., TLS) to restrict access and prevent unauthorized message injection. 4) Monitor MQTT traffic for anomalous patterns indicative of exploitation attempts, such as malformed or oversized messages targeting the charging stations. 5) Conduct regular security assessments and penetration tests focusing on IoT devices and their communication protocols. 6) Establish incident response plans specific to charging infrastructure to quickly address potential denial-of-service or integrity incidents. 7) Collaborate with regulatory bodies to ensure compliance and report any anomalies related to EichrechtAgents functionality. These measures go beyond generic advice by focusing on network-level controls, vendor coordination, and operational readiness tailored to the specific product and regulatory context.