Arbitrary File Upload Vulnerability in Iocharger Firmware for AC Models
CVE-2024-43662

5.3MEDIUM

Key Information:

Vendor

Iocharger

Status
Iocharger Firmware For Ac Models
Vendor
CVE Published:
9 January 2025

What is CVE-2024-43662?

The Iocharger firmware for AC models prior to version 24120701 contains a vulnerability that allows arbitrary file uploads to /tmp/upload/ or /tmp/ by utilizing specific CGI binaries. This issue arises because the file upload interface is primarily accessible to the iocadmin user. An attacker must have low-level access to a user account to exploit this flaw or convince a valid user to upload a file deliberately. While the attacker can upload files, they cannot influence the integrity of device operations without recognition of further vulnerabilities. This underscores the need for ongoing vigilance in firmware security measures, especially in devices such as electric vehicle chargers that may handle significant power loads.

Affected Version(s)

Iocharger firmware for AC models 0 < 24120701

References

https://csirt.divd.nl/DIVD-2024-00035/
third-party-advisory
https://csirt.divd.nl/CVE-2024-43662/
third-party-advisory
https://iocharger.com
product

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Wilco van Beijnum
Harm van den Brink (DIVD)
Frank Breedijk (DIVD)
.