Autel MaxiCharger AC Elite Business C50 BLE AppChargingControl Stack-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2024-23959

8HIGH

Key Information:

Vendor: Autel
Status: Maxicharger Ac Elite Business C50
Vendor: CVE Published:; 28 September 2024

What is CVE-2024-23959?

The vulnerability pertains to a stack-based buffer overflow in the implementation of the AppChargingControl command within the Autel MaxiCharger AC Elite Business C50. The flaw allows network-adjacent attackers to exploit affected installations by executing arbitrary code on the device. Although necessary authentication exists, it can be bypassed, making it easier for attackers to execute malicious commands. The root cause of the vulnerability lies in inadequate validation of user-supplied data length before it is copied to a fixed-length buffer, thereby enabling potential unauthorized control over the device.

Affected Version(s)

MaxiCharger AC Elite Business C50 1.32.00

References

https://www.zerodayinitiative.com/advisories/ZDI-24-851/

x_research-advisory

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 28, 2024

JSON