Skip to the content.

CVE-2024-43648

Authenticated command injection via <redacted>.exe <redacted> parameter

CVE CVE-2024-43648
Title Authenticated command injection via <redacted>.exe <redacted> parameter
Case DIVD-2024-00035
Credits
Affected products
Product Affected Unaffected Unknown
Iocharger Iocharger firmware for AC models >= 0 to < 24120701 (custom)
everything else
CVSS
Base score 9.3 - CRITICAL
Attack Vector NETWORK
Attack Complexity> LOW
Attack Requirements NONE
Privileges Required LOW
Confidentiality Impact
Vulnerable system HIGH Subsequent systems LOW
Integrity Impact
Vulnerable system HIGH Subsequent systems LOW
Availability Impact
Vulnerable system HIGH Subsequent systems HIGH
Safety impact PRESENT
Automatable YES
Recovery NOT_DEFINED
Value Density NOT_DEFINED
Vulnerability Response effort NOT_DEFINED
Provider Urgency NOT_DEFINED
References
Problem type(s)
Impact(s) CAPEC-88 OS Command Injection
Date published 09 Jan 2025 00:00 UTC
Last modified

Description

Command injection in the <redacted> parameter of a <redacted>.exe request leads to remote code execution as the root user.

This issue affects Iocharger firmware for AC models before version 24120701.

Likelihood: Moderate – This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all <redacted> fields. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a payload.

Impact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services.

CVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). If is a full system compromise, potentially fully compromising confidentiality, integrity and availability of the devicer (VC:H/VI:H/VA:H).  A compromised charger can be used to "pivot" onto networks that should otherwise be closed, cause a low confidentiality and interity impact on subsequent systems. (SC:L/SI:L/SA:H). Because this device is an EV charger handing significant amounts of power, we suspect this vulnerability can have a safety impact (S:P). The attack can be automated (AU:Y).


JSON version.