CVE-2024-43649
Published: 09 January 2025
Summary
CVE-2024-43649 is a critical-severity OS Command Injection (CWE-78) vulnerability in Divd (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-43649 is an authenticated command injection vulnerability (CWE-78, CWE-250) in the filename of a <redacted>.exe request within the Iocharger firmware for AC models prior to version 24120701. This flaw enables remote code execution as the root user. Published on 2025-01-09, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting network accessibility with low complexity and low-privilege requirements.
An attacker with any level of authenticated access to the web interface can exploit the vulnerability over any network connection serving it, without needing user interaction or additional mitigations. Exploitation requires discovering the uncommon injection point, likely via firmware reverse-engineering or exhaustive testing of <redacted> fields, and obtaining low-privilege credentials either directly or by social engineering. Successful attacks yield critical impact, providing full root control over the charging station for arbitrary file and service manipulation, with potential for network pivoting and physical safety risks due to the device's power capabilities.
Advisories from DIVD CSIRT, including https://csirt.divd.nl/CVE-2024-43649/ and https://csirt.divd.nl/DIVD-2024-00035/, along with the vendor site at https://iocharger.com, detail mitigation steps for this issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40393
Vulnerability details
Authenticated command injection in the filename of a <redacted>.exe request leads to remote code execution as the root user. This issue affects Iocharger firmware for AC models before version 24120701. Likelihood: Moderate – This action is not a common place…
more
for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all <redacted> fields. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a payload. Impact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services. CVSS clarification: This attack can be performed over any network conenction serving the web interfacr (AV:N), and there are not additional mitigating measures that need to be circumvented (AC:L) or other prerequisites (AT:N). The attack does require privileges, but the level does not matter (PR:L), there is no user interaction required (UI:N). The attack leeds to a full compromised of the charger (VC:H/VI:H/VA:H) and a compromised charger can be used to "pivot" to networks that should normally not be reachable (SC:L/SI:L/SA:H). Because this is an EV chargers with significant pwoer, there is a potential safety imp0act (S:P). THis attack can be automated (AU:Y).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated command injection in network-accessible web interface directly enables remote exploitation of public-facing app (T1190) and escalates low-priv credentials to root RCE (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection vulnerability by validating and sanitizing the filename input in the web request to block malicious payloads.
Ensures timely remediation of the specific command injection flaw through firmware updates to version 24120701 or later.
Limits the impact of successful command injection by enforcing least privilege, preventing execution as root even if a payload is injected.