Cyber Resilience

CVE-2024-43656

CriticalRCE

Published: 09 January 2025

Published
09 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:X
EPSS Score 0.0153 81.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43656 is a critical-severity OS Command Injection (CWE-78) vulnerability in Divd (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-43656 is an improper neutralization of special elements used in a command, classified as a command injection vulnerability (CWE-78, CWE-434), that enables OS command injection with root privileges. It affects the Iocharger firmware for AC model chargers running versions prior to 24120701. The vulnerability is accessible over any network interface serving the web UI, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting network accessibility, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.

An attacker with low-privileged access (PR:L), such as any authenticated account, can exploit this vulnerability over the network by modifying a settings backup file to inject a new CGI script into the correct directory within the redacted file structure. This requires identifying the backup file structure, which is described as moderately difficult, and either possessing an account capable of restoring backups or convincing a legitimate user to upload the tampered file. Successful exploitation grants full root-level control over the charging station, allowing arbitrary addition, modification, or deletion of files and services, with potential to pivot into otherwise inaccessible networks (SC:L/SI:L/SA:H) and safety impacts due to the EV charger's power handling capabilities (S:P).

Advisories from DIVD CSIRT (DIVD-2024-00035) and the vendor at iocharger.com detail the issue, with mitigation centered on updating to firmware version 24120701 or later to address the command injection flaw. Practitioners should review these resources for full patch instructions and verify network exposure of affected web UIs.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root This issue affects Iocharger firmware for AC model chargers before version 24120701. Likelihood: Moderate – It might be difficult for an attacker…

more

to identify the file structure of the <redated> directory, and then modify the backup to add a new CGI script in the correct directory. Furthermore, the attacker will need an account to restore the settings backup, or convince a user with such access to upload a modified backup file. Impact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and deletefiles and services. CVSS clarification: Any network interface serving the web ui is vulnerable (AV:N) and there are not additional security measures to circumvent (AC:L), nor does the attack require and existing preconditions (AT:N). The attack is authenticated, but the level of authentication does not matter (PR:L), nor is any user interaction required (UI:N). The attack leads to a full compromised (VC:H/VI:H/VA:H), and compromised devices can be used to pivot into networks that should potentially not be accessible (SC:L/SI:L/SA:H). Becuase this is an EV charger handing significant power, there is a potential safety impact (S:P). This attack can be automated (AU:Y).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct command injection via web UI enables public-facing exploit (T1190), Unix shell execution (T1059.004), web shell via CGI injection (T1505.003), and root privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-5243Shared CWE-434, CWE-78
CVE-2025-56077Shared CWE-78
CVE-2026-28773Shared CWE-78
CVE-2025-56094Shared CWE-78
CVE-2026-27635Shared CWE-78
CVE-2021-4473Shared CWE-78
CVE-2026-24841Shared CWE-78
CVE-2025-11755Shared CWE-434
CVE-2025-56107Shared CWE-78
CVE-2026-20098Shared CWE-434

Affected Assets

Divd
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates command injection by requiring validation and neutralization of special elements in backup file inputs during the restore process.

prevent

Requires timely remediation of the specific command injection flaw via firmware update to version 24120701 or later.

prevent

Restricts backup file uploads to authorized formats and content types, preventing injection of malicious CGI scripts.

References