CVE-2024-43654
Published: 09 January 2025
Summary
CVE-2024-43654 is a critical-severity OS Command Injection (CWE-78) vulnerability in Divd (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-43654 is a command injection vulnerability (CWE-78) in the firmware of Iocharger AC EV charger models that permits unauthenticated OS command execution as root. It affects all such models running firmware versions prior to 25010801 and stems from improper neutralization of special elements in commands processed by an internal binary also shared with the vendor's pedestal charging stations.
An attacker with low-privilege web interface access, or the ability to induce such a user to submit a crafted HTTP request, can exploit the flaw to obtain full root control. This grants arbitrary file and service modification on the charger, enabling network pivoting and potential safety impacts given the device's role in handling high power levels. The CVSS 4.0 score of 9.3 reflects network attack vector, low complexity, and high impacts on confidentiality, integrity Availability, and scope.
Advisories from DIVD CSIRT recommend updating affected Iocharger AC models to firmware version 25010801 or later; details are available at the referenced URLs including https://csirt.divd.nl/CVE-2024-43654/ and https://csirt.divd.nl/DIVD-2024-00035/.
EPSS for the CVE rose from a low baseline to a peak of 0.0582 on 2025-12-11 before receding to the current value of 0.0254, indicating emerging post-disclosure exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40398
Vulnerability details
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Iocharger firmware for AC models allows OS Command Injection as root This issue affects all Iocharger AC EV charger models on a firmware version before 25010801. Likelihood:…
more
Moderate – The <redacted> binary does not seem to be used by the web interface, so it might be more difficult to find. It seems to be largely the same binary as used by the Iocharger Pedestal charging station, however. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a crafted HTTP request. Impact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services. CVSS clarification: Any network interface serving the web ui is vulnerable (AV:N) and there are not additional security measures to circumvent (AC:L), nor does the attack require and existing preconditions (AT:N). The attack is authenticated, but the level of authentication does not matter (PR:L), nor is any user interaction required (UI:N). The attack leads to a full compromised (VC:H/VI:H/VA:H), and compromised devices can be used to pivot into networks that should potentially not be accessible (SC:L/SI:L/SA:H). Becuase this is an EV charger handing significant power, there is a potential safety impact (S:P). This attack can be automated (AU:Y).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in network-exposed web UI firmware directly enables remote exploitation of public-facing apps (T1190) and low-to-root privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by requiring information input validation mechanisms at entry points to the vulnerable firmware binary.
Remediates the specific OS command injection flaw through timely identification, reporting, and application of the vendor firmware patch to version 25010801 or later.
Mitigates impact of successful injection by enforcing least privilege, preventing the vulnerable binary from executing with root privileges.