Default Credential Exposure in Iocharger AC Model EV Chargers
CVE-2024-43659

8.3HIGH

Key Information:

Vendor

Iocharger

Status
Iocharger Firmware For Ac Models
Vendor
CVE Published:
9 January 2025

What is CVE-2024-43659?

A significant vulnerability exists in Iocharger AC model EV chargers that allows an attacker to gain access to default credentials stored in firmware. These credentials are uniform across all units, making a large number of chargers susceptible to unauthorized access, especially those running firmware versions prior to 25010801. Attackers may exploit a code execution or file inclusion vulnerability to access sensitive files, enabling them to take control of the charging stations and perform malicious actions. While the issue has been partially mitigated by enforcing password changes on first login, many devices may still retain the default password, allowing for potential exploitation. Immediate upgrading of firmware and password management is strongly recommended to enhance security and protect against unauthorized access.

Affected Version(s)

Iocharger firmware for AC models 0 < 25010801

References

https://csirt.divd.nl/DIVD-2024-00035/
third-party-advisory
https://csirt.divd.nl/CVE-2024-43659/
third-party-advisory
https://iocharger.com
product

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Wilco van Beijnum
Harm van den Brink (DIVD)
Frank Breedijk (DIVD)
.