Autel MaxiCharger AC Elite Business C50 Stack-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2024-23957

8.8HIGH

Key Information:

Vendor: Autel
Status: Maxicharger Ac Elite Business C50
Vendor: CVE Published:; 28 September 2024

What is CVE-2024-23957?

A significant vulnerability exists within the DLB_HostHeartBeat handler of the DLB protocol in Autel MaxiCharger AC Elite Business C50 charging stations. This flaw enables network-adjacent attackers to execute arbitrary code by exploiting improper validation of user-supplied data when parsing an AES key. The vulnerability allows malicious entities to manipulate the fixed-length stack-based buffer, leading to unauthorized control over the devices. As authentication is not required for exploitation, this vulnerability poses a substantial risk to affected installations.

Affected Version(s)

MaxiCharger AC Elite Business C50 1.32.00

References

https://www.zerodayinitiative.com/advisories/ZDI-24-854/

x_research-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 28, 2024

JSON