Gadha

**Name of the Vulnerable Software and Affected Versions** Phoenix Contact CHARX SEC-3000 versions up to 1.6.2 **Description** A remote unauthenticated attacker can use the firmware update feature on the LAN interface of the device to reset the password for the predefined, low-privileged user `user-app` to the default password. The issue is related to insecure default resource initialization. **Recommendations** For Phoenix Contact CHARX SEC-3000 versions up to 1.6.2, update the firmware to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the firmware update feature on the LAN interface to minimize the risk of exploitation.