Cyber Resilience

CVE-2024-43649

CriticalRCE

Published: 09 January 2025

Published
09 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:X
EPSS Score 0.0227 85.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43649 is a critical-severity OS Command Injection (CWE-78) vulnerability in Divd (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-43649 is an authenticated command injection vulnerability (CWE-78, CWE-250) in the filename of a <redacted>.exe request within the Iocharger firmware for AC models prior to version 24120701. This flaw enables remote code execution as the root user. Published on 2025-01-09, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting network accessibility with low complexity and low-privilege requirements.

An attacker with any level of authenticated access to the web interface can exploit the vulnerability over any network connection serving it, without needing user interaction or additional mitigations. Exploitation requires discovering the uncommon injection point, likely via firmware reverse-engineering or exhaustive testing of <redacted> fields, and obtaining low-privilege credentials either directly or by social engineering. Successful attacks yield critical impact, providing full root control over the charging station for arbitrary file and service manipulation, with potential for network pivoting and physical safety risks due to the device's power capabilities.

Advisories from DIVD CSIRT, including https://csirt.divd.nl/CVE-2024-43649/ and https://csirt.divd.nl/DIVD-2024-00035/, along with the vendor site at https://iocharger.com, detail mitigation steps for this issue.

EU & UK References

Vulnerability details

Authenticated command injection in the filename of a <redacted>.exe request leads to remote code execution as the root user. This issue affects Iocharger firmware for AC models before version 24120701. Likelihood: Moderate – This action is not a common place…

more

for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all <redacted> fields. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a payload. Impact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services. CVSS clarification: This attack can be performed over any network conenction serving the web interfacr (AV:N), and there are not additional mitigating measures that need to be circumvented (AC:L) or other prerequisites (AT:N). The attack does require privileges, but the level does not matter (PR:L), there is no user interaction required (UI:N). The attack leeds to a full compromised of the charger (VC:H/VI:H/VA:H) and a compromised charger can be used to "pivot" to networks that should normally not be reachable (SC:L/SI:L/SA:H). Because this is an EV chargers with significant pwoer, there is a potential safety imp0act (S:P). THis attack can be automated (AU:Y).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Authenticated command injection in network-accessible web interface directly enables remote exploitation of public-facing app (T1190) and escalates low-priv credentials to root RCE (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-43648Shared CWE-250, CWE-78
CVE-2024-43654Shared CWE-250, CWE-78
CVE-2024-43652Shared CWE-250, CWE-78
CVE-2024-43653Shared CWE-250, CWE-78
CVE-2026-42833Shared CWE-250
CVE-2025-34274Shared CWE-250
CVE-2025-34515Shared CWE-250
CVE-2025-13375Shared CWE-250
CVE-2025-60963Shared CWE-78
CVE-2026-41613Shared CWE-78

Affected Assets

Divd
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection vulnerability by validating and sanitizing the filename input in the web request to block malicious payloads.

prevent

Ensures timely remediation of the specific command injection flaw through firmware updates to version 24120701 or later.

prevent

Limits the impact of successful command injection by enforcing least privilege, preventing execution as root even if a payload is injected.

References