CVE-2024-43659
Published: 09 January 2025
Description
After gaining access to the firmware of a charging station, a file at <redacted> can be accessed to obtain default credentials that are the same across all Iocharger AC model EV chargers. This issue affects Iocharger firmware for AC models before firmware version 25010801. The issue is addressed by requiring a mandatory password change on first login, it is still recommended to change the password on older models. Likelihood: Moderate – The attacker will first have to abuse a code execution or file inclusion vulnerability (for example by using <redacted>.sh) to gain access to the <redacted>.json file, or obtain a firmware dump of the charging station or obtain the firmware via other channels. Impact: Critical – All chargers using Iocharger firmware for AC models started with the same initial password. For models with firmware version before 25010801 a password change was not mandatory. It is therefore very likely that this firmware password is still active on many chargers. These credentials could, once obtained, allow an attacker to log into many Iocharger charging station, and allow them to execute arbitrary commands via the System → Custom page. CVSS clarification: Any network interface serving the web ui is vulnerable (AV:N) and there are not additional security measures to circumvent (AC:L), nor does the attack require and existing preconditions (AT:N). The attack is authenticated, and requires high privileges (PR:H), there is no user interaction required (UI:N). The attack leads to a compromised of the confidentialy of the "super user" credentials of the device (VC:H/VI:N/VA:N), and can subsequently be used to full compromise and other devices (SC:H/SI:H/SA:H). Becuase this is an EV charger handing significant power, there is a potential safety impact (S:P). This attack can be automated (AU:Y).
Security Summary
CVE-2024-43659 is a vulnerability involving default credentials that are identical across all Iocharger AC model EV chargers and can be extracted from a specific file in the firmware after an attacker gains access to it. The issue affects Iocharger firmware for AC models prior to version 25010801, where no mandatory password change was enforced on first login, leaving the default super user password likely unchanged on many devices.
Exploitation requires an attacker to first obtain firmware access, such as through a code execution or file inclusion vulnerability (for example, via a script like <redacted>.sh) to read the <redacted>.json file containing the credentials, or by acquiring a firmware dump through other means. With network access to the web UI (AV:N/AC:L), high privileges (PR:H), and no user interaction (UI:N), a successful attacker can use these credentials to authenticate to numerous affected chargers and execute arbitrary commands via the System → Custom page, leading to full device compromise (C:H/I:H/A:H) with potential physical safety impacts due to the charger's power handling capabilities. The CVSS v3.1 base score is 7.2.
Advisories from DIVD CSIRT recommend changing the password on older models, as the issue is addressed in firmware version 25010801 and later by enforcing a mandatory password change on first login. Additional details are available at https://csirt.divd.nl/CVE-2024-43659/, https://csirt.divd.nl/DIVD-2024-00035/, and https://iocharger.com. The vulnerability is associated with CWE-256 (Plain-text Storage of a Password), CWE-1391 (Use of Weak Credentials), and CWE-1393 (Improper Mechanisms for Activation or Installation of Services).
Details
- CWE(s)