CVE-2024-43648

Name of the Vulnerable Software and Affected Versions Iocharger firmware for AC models versions prior to 24120701

Description The issue is related to command injection in a specific parameter of a .exe request, leading to remote code execution as the root user. This allows an attacker to have full control over the charging station, arbitrarily adding, modifying, and deleting files and services. The attack can be executed over any network connection the station is listening to and serves the web interface. A compromised charger can be used to "pivot" onto networks that should otherwise be closed, causing a low confidentiality and integrity impact on subsequent systems. The vulnerability can potentially have a safety impact due to the device handling significant amounts of power.

Recommendations For Iocharger firmware for AC models versions prior to 24120701, update to version 24120701 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable binary or disabling the affected parameter to minimize the risk of exploitation. Avoid using the vulnerable parameter in the affected API endpoint until the issue is resolved.