CVE-2024-43649

Summary

CVE-2024-43649 is a critical vulnerability affecting Iocharger firmware for AC models before version 24120701. An authenticated attacker can exploit this command injection flaw in a <redacted>.exe request, resulting in remote code execution as the root user. The likelihood of this vulnerability being exploited is moderate due to the requirement for an attacker to either reverse-engineer the firmware or gain access to the affected binary. The impact of this vulnerability is severe, granting the attacker full control over the charging station, including the ability to add, modify, and delete files and services. This attack can be performed over any network connection serving the web interface (AV:N), and requires no additional mitigating measures or prerequisites to be bypassed (AC:L/AT:N). The attacker gains root access to the charger (VC:H/VI:H/VA:H), which can potentially be used to gain access to other networks (SC:L/SI:L/SA:H) and may pose a safety risk (S:P). Automated attacks are possible (AU:Y).

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.