PT-2025-2652 · Iocharger · Iocharger
Frank Breedijk
+2
·
Published
2025-01-09
·
Updated
2025-01-09
·
CVE-2024-43651
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Iocharger firmware for AC models versions prior to 241207101
Description
The issue is related to an Improper Neutralization of Special Elements used in a Command, also known as a 'Command Injection' vulnerability, which allows OS Command Injection as root. This gives an attacker full control over the charging station, allowing them to arbitrarily add, modify, and delete files and services. The attack requires authentication but does not need special conditions or user interaction. The vulnerability can be automated and may have a potential safety impact due to the charger handling significant power.
Recommendations
For Iocharger firmware for AC models versions prior to 241207101:
Update to a version newer than 241207101 to resolve the issue.
As a temporary workaround, consider restricting access to the vulnerable binary or limiting the privileges of accounts that can access it.
Avoid using the vulnerable interface until the issue is resolved.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Iocharger