Cyber Resilience

CVE-2024-43653

CriticalRCE

Published: 09 January 2025

Published
09 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:X
EPSS Score 0.0254 85.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43653 is a critical-severity OS Command Injection (CWE-78) vulnerability in Divd (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-43653 is a command injection vulnerability, tracked under CWE-78 and CWE-250, that permits OS command execution as root through improper neutralization of special elements. It affects Iocharger firmware for AC model chargers prior to version 24120701 and resides in a binary that is also shared with the vendor's Pedestal charging station hardware.

An attacker who obtains a low-privilege account, or who persuades such a user to submit a crafted HTTP request, can reach the vulnerable binary over any network interface exposing the web UI. Successful exploitation grants full root control, allowing arbitrary addition, modification, or deletion of files and services on the charging station.

Public advisories from DIVD recommend updating to firmware 24120701 or later; the CVSS 9.3 score reflects network attack vector, low attack complexity, and high impact on confidentiality, integrity Availability, and safety. The associated EPSS score rose from a low baseline to a peak of 0.0582 on 2025-12-11 before receding to its current value of 0.0254, indicating a temporary increase in exploitation interest after disclosure.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root This issue affects Iocharger firmware for AC model chargers before version 24120701. Likelihood: Moderate – The <redacted> binary does not seem to…

more

be used by the web interface, so it might be more difficult to find. It seems to be largely the same binary as used by the Iocharger Pedestal charging station, however. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a crafted HTTP request. Impact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services. CVSS clarification: Any network interface serving the web ui is vulnerable (AV:N) and there are not additional security measures to circumvent (AC:L), nor does the attack require and existing preconditions (AT:N). The attack is authenticated, but the level of authentication does not matter (PR:L), nor is any user interaction required (UI:N). The attack leads to a full compromised (VC:H/VI:H/VA:H), and compromised devices can be used to pivot into networks that should potentially not be accessible (SC:L/SI:L/SA:H). Becuase this is an EV charger handing significant power, there is a potential safety impact (S:P). This attack can be automated (AU:Y).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE enables remote OS command injection (CWE-78) via crafted HTTP request to a network-accessible binary on the charger firmware, directly mapping to public-facing app exploitation (T1190) that yields Unix shell execution (T1059.004) with immediate root privileges (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-43648Shared CWE-250, CWE-78
CVE-2024-43654Shared CWE-250, CWE-78
CVE-2024-43649Shared CWE-250, CWE-78
CVE-2024-43652Shared CWE-250, CWE-78
CVE-2025-56102Shared CWE-78
CVE-2025-20029Shared CWE-78
CVE-2026-28774Shared CWE-78
CVE-2026-30809Shared CWE-78
CVE-2025-56077Shared CWE-78
CVE-2026-28773Shared CWE-78

Affected Assets

Divd
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs to prevent improper neutralization of special elements used in OS commands, directly mitigating this command injection vulnerability.

prevent

SI-2 ensures timely flaw remediation, such as applying the vendor-recommended firmware update to version 24120701 or later, eliminating the specific vulnerability.

prevent

AC-6 enforces least privilege on processes like the vulnerable binary, limiting the scope of damage from root-level command injection even if exploited.

References