Command Injection Vulnerability in Iocharger Firmware for AC Models
CVE-2024-43654

9.3CRITICAL

Key Information:

Vendor

Iocharger

Status
Iocharger Firmware For Ac Models
Vendor
CVE Published:
9 January 2025

What is CVE-2024-43654?

The Iocharger AC EV charger firmware contains a command injection vulnerability that allows attackers with low privilege accounts to execute arbitrary commands as root. This vulnerability affects all AC models running firmware versions prior to 25010801. Attackers may exploit this weakness by crafting specific HTTP requests that leverage improper neutralization of special elements. Once exploited, they gain full control over the charging station, enabling them to add, modify, or delete files and services at will. This poses not only security risks but also potential safety hazards due to the nature of the device handling significant power.

Affected Version(s)

Iocharger firmware for AC models 0 < 25010801

References

https://csirt.divd.nl/DIVD-2024-00035/
third-party-advisory
https://csirt.divd.nl/CVE-2024-43654/
third-party-advisory
https://iocharger.com
product

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Wilco van Beijnum
Harm van den Brink (DIVD)
Frank Breedijk (DIVD)
JSON
.