Authenticated Command Injection in Iocharger Firmware for AC Models
CVE-2024-43649

9.3CRITICAL

Key Information:

Vendor

Iocharger

Status
Iocharger Firmware For Ac Models
Vendor
CVE Published:
9 January 2025

What is CVE-2024-43649?

This vulnerability involves an authenticated command injection in the filename of a request sent to Iocharger firmware for AC models prior to version 24120701. An attacker with low-level privileges can exploit this flaw, leading to remote code execution with root user access. This gives the attacker full control over the charging station, enabling them to arbitrarily add, modify, or delete files and services. Due to the nature of the attack, which can be executed over any network connection serving the web interface, it poses significant security risks, including potential safety hazards linked to the compromised charging infrastructure.

Affected Version(s)

Iocharger firmware for AC models 0 < 24120701

References

https://csirt.divd.nl/DIVD-2024-00035/
third-party-advisory
https://csirt.divd.nl/CVE-2024-43649/
third-party-advisory
https://iocharger.com
product

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Wilco van Beijnum
Harm van den Brink (DIVD)
Frank Breedijk (DIVD)
.