Phoenix Contact CHARX SEC-3XXX AC Charging Controller Scanner

Phoenix Contact CHARX SEC-3XXX AC Charging Controllers are used in electric vehicle charging infrastructure. These controllers are commonly implemented by businesses providing charging solutions for electric vehicles, as well as in public charging stations owned by municipalities. Used for smart charging solutions, they optimize charging efficiency and manage payloads. These controllers are crucial for facilitating the reliable and efficient delivery of electricity to vehicles. Additionally, they are utilized for networked charging applications where remote management is necessary. Their integration facilitates greater management of electric vehicle charging in urban environments.

The detected vulnerability involves the potential exposure of system information through the CHARX SEC-3XXX AC Charging Controller's REST API. These details might include OS release details, firmware, and hardware information. While the presence of this information alone may not indicate a severe vulnerability, access to it might allow further exploitation of related flaws. The detected presence of the API can indicate if unauthorized parties might evaluate these specific endpoints. Recognizing the REST API's presence is the first step in evaluating potential misconfigurations or unintentional exposures. Ensuring these details are not openly accessible can prevent information disclosure.

The detection focuses on the REST API endpoint of the CHARX SEC-3XXX AC Charging Controller. Specifically, the endpoint {{BaseURL}}/api/v1.0/web/retained-data is evaluated. Technical checks confirm the presence of "charging_controllers" and "system" within the response body, with a status code indicating success. The information further extracted from the JSON responses includes system architecture, kernel details, and device-specific information such as hardware and firmware versions. The ability to interrogate this endpoint effortlessly exemplifies the potential misconfigurations if not properly secured.

The presence of the API, if left unsecured, might lead to unintentional leakage of sensitive information about the charging infrastructure. This exposure could result in adversaries using publicly accessible data to map network components or refine subsequent attacks. Data regarding firmware and hardware can be exploited for version-specific vulnerabilities or configuration weaknesses. Additionally, exposing system architecture and kernel details provides attackers with the information to tailor their exploit strategies. Protecting this information is vital to maintaining the security integrity of the charging station's infrastructure.

REFERENCES

• https://www.phoenixcontact.com/en-us/products/ac-charging-controllers