Remote Code Execution Vulnerability in Iocharger Firmware for AC Models
CVE-2024-43648

9.3CRITICAL

Key Information:

Vendor

Iocharger

Status
Iocharger Firmware For Ac Models
Vendor
CVE Published:
9 January 2025

What is CVE-2024-43648?

A command injection vulnerability exists in the Iocharger firmware for AC models prior to version 24120701, allowing attackers to execute arbitrary code remotely as the root user. This vulnerability requires an attacker to have low-privileged access or to deceive a user with such privileges into triggering exploits against the firmware. The nature of this vulnerability poses severe risks, as an attacker could fully compromise the charging station, leading to malicious manipulation of files and services, potentially affecting device performance and safety.

Affected Version(s)

Iocharger firmware for AC models 0 < 24120701

References

https://csirt.divd.nl/DIVD-2024-00035/
third-party-advisory
https://csirt.divd.nl/CVE-2024-43648/
third-party-advisory
https://iocharger.com
product

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Wilco van Beijnum
Harm van den Brink (DIVD)
Frank Breedijk (DIVD)
.