CVE-2024-43649

Name of the Vulnerable Software and Affected Versions Iocharger firmware for AC models versions prior to 24120701

Description The issue is related to authenticated command injection in the filename of a certain .exe request, leading to remote code execution as the root user. This allows an attacker to have full control over the charging station, arbitrarily adding, modifying, and deleting files and services. The attack can be performed over any network connection serving the web interface and does not require additional mitigating measures or user interaction. The impact is critical, with potential safety implications due to the significant power of the electric vehicle chargers.

Recommendations For Iocharger firmware for AC models versions prior to 24120701, update to a version 24120701 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable .exe request to minimize the risk of exploitation. Avoid using the vulnerable filename parameter in the affected API endpoint until the issue is resolved.