CVE-2024-43659

Summary

CVE-2024-43659 is a vulnerability affecting Iocharger AC model EV chargers. If an attacker gains access to the charger's firmware, they can obtain default credentials from a specific file, which are the same across all Iocharger AC models. This issue arises from a lack of a mandatory password change on first login, making it critical as many charging stations may still be using the initial password. The vulnerability is classified as Moderate, as gaining access to the firmware typically requires exploiting a code execution or file inclusion vulnerability. The impact is significant, as these default credentials could grant an attacker access to multiple Iocharger charging stations, allowing them to execute arbitrary commands. The CVSS score reflects the high privilege required (PR:H), lack of user interaction (UI:N), and potential for confidentiality, integrity, and safety impacts (VC:H/SI:H/SA:H). It's important to note that updated firmware versions now require a password change upon first login.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.