CVE-2024-43650

Name of the Vulnerable Software and Affected Versions Iocharger firmware for AC models versions prior to 24120701

Description The issue is related to an improper neutralization of special elements used in a command, also known as 'Command Injection', which allows OS Command Injection as root. This gives the attacker full control over the charging station, allowing them to add, modify, and delete files and services arbitrarily. The attack can be executed over any network connection serving the web interface and does not require user interaction. The likelihood of the attack is moderate, but the impact is critical, with potential safety implications due to the high power used by the EV charger.

Recommendations For Iocharger firmware for AC models versions prior to 24120701: Update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the vulnerable binary or limiting the privileges of the account that can access it. Avoid using the vulnerable firmware until a patch is available. Restrict access to the web interface to minimize the risk of exploitation. Note: At the moment, there is no information about a newer version that contains a fix for this vulnerability, so the above recommendations are based on general best practices for mitigating the risk.