Cyber Resilience

CVE-2024-43652

CriticalRCE

Published: 09 January 2025

Published
09 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:D/RE:M/U:X
EPSS Score 0.0336 87.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43652 is a critical-severity OS Command Injection (CWE-78) vulnerability in Divd (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-43652 is a command injection vulnerability (CWE-78) in Iocharger firmware for AC model chargers before version 24120701. The flaw permits OS command injection as root through improper neutralization of special elements, affecting a binary that is also shared with the vendor's Pedestal charging station.

An attacker with low-privilege access, or the ability to trick such a user into issuing a crafted HTTP request, can exploit the issue to obtain full root control of the charging station. This grants the ability to arbitrarily add, modify, or delete files and services on the device.

Public advisories from DIVD note that the issue is resolved in firmware 24120701 and direct users to the vendor for updated images, with further details at csirt.divd.nl/CVE-2024-43652 and csirt.divd.nl/DIVD-2024-00035.

The EPSS score rose from a low starting point to a peak of 0.0747 on 2025-12-11 before receding to 0.0336, indicating that exploitation interest emerged after disclosure.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root This issue affects Iocharger firmware for AC model chargers before version 24120701 Likelihood: Moderate – The <redacted> binary does not seem to…

more

be used by the web interface, so it might be more difficult to find. It seems to be largely the same binary as used by the Iocharger Pedestal charging station, however. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a crafted HTTP request. Impact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct OS command injection (CWE-78) in exposed charger interface enables remote exploitation of public-facing app (T1190) to escalate from low-priv to root (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-43648Shared CWE-250, CWE-78
CVE-2024-43654Shared CWE-250, CWE-78
CVE-2024-43649Shared CWE-250, CWE-78
CVE-2024-43653Shared CWE-250, CWE-78
CVE-2026-42833Shared CWE-250
CVE-2025-34274Shared CWE-250
CVE-2025-34515Shared CWE-250
CVE-2025-13375Shared CWE-250
CVE-2025-60963Shared CWE-78
CVE-2026-41613Shared CWE-78

Affected Assets

Divd
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 directly remediates the command injection flaw in the Iocharger firmware by requiring timely application of the vendor-provided update to version 24120701 or later.

prevent

SI-10 prevents OS command injection by enforcing validation of all information inputs to the affected binary, neutralizing special elements used in commands.

prevent

AC-6 least privilege mitigates the critical impact of root-level command injection by ensuring the vulnerable binary and associated accounts operate with minimal necessary privileges.

References