CVE-2024-43654

Summary

CVE-2024-43654 is a Command Injection vulnerability in Iocharger firmware for AC models, allowing an attacker to inject OS commands as the root user (1). Affecting all AC EV charger models on firmware versions before 25010801, this issue grants an attacker the ability to add, modify, and delete files and services (2). The vulnerability lies in a binary that is not directly accessible through the web interface but could be accessed with a low-privilege account or by manipulating a user with such access (3). With critical impact, the attacker can compromise the entire charging station and potentially use it as a pivot point to access other networks (4). This vulnerability, with a high level of automation, also carries a potential safety impact due to the power handling capabilities of the EV charger (5).

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.