Command Injection Vulnerability in Iocharger Firmware for AC Model Chargers
CVE-2024-43655

9.3CRITICAL

Key Information:

Vendor: Iocharger
Status: Iocharger Firmware For Ac Models
Vendor: CVE Published:; 9 January 2025

Summary

A command injection vulnerability exists in the Iocharger firmware for AC model chargers, which can allow an attacker with low privileges to execute arbitrary commands as the root user. By exploiting this flaw, attackers can gain full control over the device, enabling them to add, modify, or delete files and services. The vulnerability primarily affects instances where an attacker can identify the script name and leverage a low-privileged account to initiate the attack. Given that this vulnerability can potentially lead to unauthorized access to critical systems and may affect the functionality and safety of electric vehicle charging stations, immediate attention and remediation are strongly advised.

Affected Version(s)

Iocharger firmware for AC models 0 < 24120701

References

https://csirt.divd.nl/DIVD-2024-00035/

third-party-advisory

https://csirt.divd.nl/CVE-2024-43655/

third-party-advisory

https://iocharger.com

product

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 9, 2025
Vulnerability Reserved
Aug 14, 2024

Collectors

NVD DatabaseMitre Database

Credit

Wilco van Beijnum

Harm van den Brink (DIVD)

Frank Breedijk (DIVD)