CVE-2024-43657

Summary

CVE-2024-43657 is a Command Injection vulnerability affecting Iocharger firmware for AC model chargers prior to version 24120701. This issue enables an attacker, with a low privilege account, to inject OS commands as the root user by exploiting improper neutralization of special elements. The impact is critical, as the attacker gains full control over the charging station, allowing them to add, modify, and delete files and services. The vulnerability is network-exposable (AV:N), and no additional security measures are in place to prevent it (AC:L). The attack requires no preconditions (AT:N), and does not rely on user interaction (UI:N). The compromised devices can be used for pivoting into potentially insecure networks (SC:L/SI:L/SA:H), and due to the handling of significant power in EV chargers, there is a potential safety impact (S:P). This vulnerability can be automated (AU:Y), and the likelihood is high.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.