Cyber Resilience

CVE-2024-43654

CriticalRCE

Published: 09 January 2025

Published
09 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:X
EPSS Score 0.0254 85.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43654 is a critical-severity OS Command Injection (CWE-78) vulnerability in Divd (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-43654 is a command injection vulnerability (CWE-78) in the firmware of Iocharger AC EV charger models that permits unauthenticated OS command execution as root. It affects all such models running firmware versions prior to 25010801 and stems from improper neutralization of special elements in commands processed by an internal binary also shared with the vendor's pedestal charging stations.

An attacker with low-privilege web interface access, or the ability to induce such a user to submit a crafted HTTP request, can exploit the flaw to obtain full root control. This grants arbitrary file and service modification on the charger, enabling network pivoting and potential safety impacts given the device's role in handling high power levels. The CVSS 4.0 score of 9.3 reflects network attack vector, low complexity, and high impacts on confidentiality, integrity Availability, and scope.

Advisories from DIVD CSIRT recommend updating affected Iocharger AC models to firmware version 25010801 or later; details are available at the referenced URLs including https://csirt.divd.nl/CVE-2024-43654/ and https://csirt.divd.nl/DIVD-2024-00035/.

EPSS for the CVE rose from a low baseline to a peak of 0.0582 on 2025-12-11 before receding to the current value of 0.0254, indicating emerging post-disclosure exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Iocharger firmware for AC models allows OS Command Injection as root This issue affects all Iocharger AC EV charger models on a firmware version before 25010801. Likelihood:…

more

Moderate – The <redacted> binary does not seem to be used by the web interface, so it might be more difficult to find. It seems to be largely the same binary as used by the Iocharger Pedestal charging station, however. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a crafted HTTP request. Impact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services. CVSS clarification: Any network interface serving the web ui is vulnerable (AV:N) and there are not additional security measures to circumvent (AC:L), nor does the attack require and existing preconditions (AT:N). The attack is authenticated, but the level of authentication does not matter (PR:L), nor is any user interaction required (UI:N). The attack leads to a full compromised (VC:H/VI:H/VA:H), and compromised devices can be used to pivot into networks that should potentially not be accessible (SC:L/SI:L/SA:H). Becuase this is an EV charger handing significant power, there is a potential safety impact (S:P). This attack can be automated (AU:Y).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

OS command injection in network-exposed web UI firmware directly enables remote exploitation of public-facing apps (T1190) and low-to-root privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-43648Shared CWE-250, CWE-78
CVE-2024-43649Shared CWE-250, CWE-78
CVE-2024-43652Shared CWE-250, CWE-78
CVE-2024-43653Shared CWE-250, CWE-78
CVE-2026-42833Shared CWE-250
CVE-2025-34274Shared CWE-250
CVE-2025-34515Shared CWE-250
CVE-2025-13375Shared CWE-250
CVE-2025-60963Shared CWE-78
CVE-2026-41613Shared CWE-78

Affected Assets

Divd
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by requiring information input validation mechanisms at entry points to the vulnerable firmware binary.

prevent

Remediates the specific OS command injection flaw through timely identification, reporting, and application of the vendor firmware patch to version 25010801 or later.

prevent

Mitigates impact of successful injection by enforcing least privilege, preventing the vulnerable binary from executing with root privileges.

References