Cyber Posture

CVE-2024-43649

High

Published: 09 January 2025

Published
09 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0169 82.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Authenticated command injection in the filename of a <redacted>.exe request leads to remote code execution as the root user. This issue affects Iocharger firmware for AC models before version 24120701. Likelihood: Moderate – This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all <redacted> fields. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a payload. Impact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services. CVSS clarification: This attack can be performed over any network conenction serving the web interfacr (AV:N), and there are not additional mitigating measures that need to be circumvented (AC:L) or other prerequisites (AT:N). The attack does require privileges, but the level does not matter (PR:L), there is no user interaction required (UI:N). The attack leeds to a full compromised of the charger (VC:H/VI:H/VA:H) and a compromised charger can be used to "pivot" to networks that should normally not be reachable (SC:L/SI:L/SA:H). Because this is an EV chargers with significant pwoer, there is a potential safety imp0act (S:P). THis attack can be automated (AU:Y).

Security Summary

CVE-2024-43649 is an authenticated command injection vulnerability (CWE-78, CWE-250) in the filename of a <redacted>.exe request within the Iocharger firmware for AC models prior to version 24120701. This flaw enables remote code execution as the root user. Published on 2025-01-09, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting network accessibility with low complexity and low-privilege requirements.

An attacker with any level of authenticated access to the web interface can exploit the vulnerability over any network connection serving it, without needing user interaction or additional mitigations. Exploitation requires discovering the uncommon injection point, likely via firmware reverse-engineering or exhaustive testing of <redacted> fields, and obtaining low-privilege credentials either directly or by social engineering. Successful attacks yield critical impact, providing full root control over the charging station for arbitrary file and service manipulation, with potential for network pivoting and physical safety risks due to the device's power capabilities.

Advisories from DIVD CSIRT, including https://csirt.divd.nl/CVE-2024-43649/ and https://csirt.divd.nl/DIVD-2024-00035/, along with the vendor site at https://iocharger.com, detail mitigation steps for this issue.

Details

CWE(s)
CWE-78CWE-250

References