CVE-2024-43653

Summary

CVE-2024-43653 is a Command Injection vulnerability that allows an attacker to execute OS commands as the root user on Iocharger firmware for AC model chargers before version 24120701. An attacker needs a low-privilege account or convinces a user with such access to execute a crafted HTTP request. The impact of this vulnerability is critical, as the attacker gains full control over the charging station, capable of adding, modifying, and deleting files and services. The network interface serving the web UI is vulnerable, and there are no additional security measures to prevent this attack. The attacker can pivot into networks and potentially cause safety issues due to the handling of significant power in an EV charger. This attack can be automated.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.