Command Injection Vulnerability in Iocharger Firmware for AC Model Chargers
CVE-2024-43657

9.3CRITICAL

Key Information:

Vendor

Iocharger

Status
Iocharger Firmware For Ac Models
Vendor
CVE Published:
9 January 2025

What is CVE-2024-43657?

A vulnerability exists in Iocharger firmware for AC model chargers prior to version 24120701, allowing command injection that could give an attacker root access to the device. This flaw can be exploited by an individual with low privileges who can access the action.exe CGI binary and upload a malicious firmware file. Once compromised, the attacker can gain complete control over the charging station, including the ability to add, modify, or delete files and services. This poses potential risks not only to device integrity but also to network security, as exploited devices might allow access to otherwise secure networks.

Affected Version(s)

Iocharger firmware for AC models 0 < 2024120701

References

https://csirt.divd.nl/DIVD-2024-00035/
third-party-advisory
https://csirt.divd.nl/CVE-2024-43657/
third-party-advisory
https://iocharger.com
product

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Wilco van Beijnum
Harm van den Brink (DIVD)
Frank Breedijk (DIVD)
.