CVE-2024-43660

High

Published: 09 January 2025

Published

09 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0010 27.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

The CGI script <redacted>.sh can be used to download any file on the filesystem. This issue affects Iocharger firmware for AC model chargers beforeversion 24120701. Likelihood: High, but credentials required. Impact: Critical – The script can be used to download any file on the filesystem, including sensitive files such as /etc/shadow, the CGI script source code or binaries and configuration files. CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y CVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). The confidentiality of all files of the devicd can be compromised (VC:H/VI:N/VA:N). There is no impact on subsequent systems. (SC:N/SI:N/SA:N). While this device is an EV charger handing significant amounts of power, this attack in isolation does not have a safety impact. The attack can be automated (AU:Y).

Security Summary

CVE-2024-43660 is a vulnerability in the Iocharger firmware for AC model chargers, affecting versions prior to 24120701. The issue stems from a CGI script, <redacted>.sh, that can be abused to download any file on the device's filesystem. This flaw is classified under CWE-552 (Files or Directories Accessible to External Parties) and has a CVSS 4.0 vector of AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:Y, emphasizing high confidentiality impact with low-privilege authentication required.

An attacker with valid credentials can exploit this over any network connection where the charger's web interface is accessible, without needing user interaction or additional preconditions. Successful exploitation allows arbitrary file downloads, including sensitive data like /etc/shadow, CGI script source code, binaries, and configuration files, leading to critical confidentiality breaches. The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) underscores the network accessibility and high impact, though the attack is isolated to the device with no integrity, availability, or subsequent system effects.

Advisories from DIVD CSIRT detail the vulnerability at https://csirt.divd.nl/CVE-2024-43660/ and https://csirt.divd.nl/DIVD-2024-00035/, with the vendor site at https://iocharger.com. Mitigation involves updating to firmware version 24120701 or later to address the exposed CGI script.

Details

CWE(s): CWE-552

References

https://csirt.divd.nl/CVE-2024-43660/
csirt@divd.nl
https://csirt.divd.nl/DIVD-2024-00035/
csirt@divd.nl
https://iocharger.com
csirt@divd.nl