Command Injection Vulnerability in Iocharger AC Model Firmware
CVE-2024-43653

9.3CRITICAL

Key Information:

Vendor: Iocharger
Status: Iocharger Firmware For Ac Models
Vendor: CVE Published:; 9 January 2025

Summary

A severe command injection vulnerability exists in the Iocharger firmware for AC model chargers prior to version 24120701. This issues arises from improper neutralization of special elements used in commands, allowing an attacker to execute arbitrary OS commands with root privileges. Although the vulnerable binary may not be directly accessed via the web interface, a low privilege account is necessary for exploitation. Once compromised, an attacker can gain full control over the charging station, facilitating the modification, addition, or deletion of files and services. The potential safety risks, coupled with the capability for automated attacks, heighten the urgency of addressing this vulnerability effectively.

Affected Version(s)

Iocharger firmware for AC models 0 < 24120701

References

https://csirt.divd.nl/DIVD-2024-00035/

third-party-advisory

https://csirt.divd.nl/CVE-2024-43653/

third-party-advisory

https://iocharger.com

product

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 9, 2025
Vulnerability Reserved
Aug 14, 2024

Collectors

NVD DatabaseMitre Database

Credit

Wilco van Beijnum

Harm van den Brink (DIVD)

Frank Breedijk (DIVD)