CVE-2024-43655

Name of the Vulnerable Software and Affected Versions Iocharger firmware for AC model chargers versions prior to 24120701

Description The issue is related to an improper neutralization of special elements used in a command, allowing OS command injection as root. This gives an attacker full control over the charging station, enabling them to add, modify, and delete files and services arbitrarily. The attack can be automated and has a potential safety impact due to the charger handling significant power. The likelihood of the attack is moderate, requiring the attacker to find the script name and have a low-privilege account or convince a user to execute a request. However, the impact is critical, leading to a fully compromised system.

Recommendations For Iocharger firmware for AC model chargers versions prior to 24120701, update to version 24120701 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable script or disabling it until a patch is available. Avoid using any potentially vulnerable API endpoints or parameters that could lead to command injection. Ensure that all network interfaces serving the web UI are properly secured and monitored.