Cyber Resilience

CVE-2024-43657

CriticalRCE

Published: 09 January 2025

Published
09 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:X
EPSS Score 0.0153 81.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43657 is a critical-severity OS Command Injection (CWE-78) vulnerability in Divd (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-43657 is an Improper Neutralization of Special Elements used in a Command vulnerability (CWE-78, CWE-434) that enables OS command injection with root privileges. It affects the Iocharger firmware for AC model chargers running versions prior to 24120701, specifically targeting the action.exe CGI binary accessible via the web UI.

An attacker with a low-privilege account can exploit this over any network interface serving the web UI by uploading a crafted firmware file, or by convincing a user with such access to do so. Successful exploitation grants full root control over the charging station, allowing arbitrary addition, modification, and deletion of files and services. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), with high likelihood, critical impact, and potential for network pivoting or safety risks due to the charger's power handling.

DIVD advisories at https://csirt.divd.nl/CVE-2024-43657/ and https://csirt.divd.nl/DIVD-2024-00035/ document the issue, recommending update to firmware version 24120701 or later as the primary mitigation. The vendor site https://iocharger.com provides further details.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root This issue affects Iocharger firmware for AC model chargers before version 24120701. Likelihood: High. However, the attacker will need a (low privilege)…

more

account to gain access to the action.exe CGI binary and upload the crafted firmware file, or convince a user with such access to upload it. Impact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and deletefiles and services. CVSS clarification: Any network interface serving the web ui is vulnerable (AV:N) and there are not additional security measures to circumvent (AC:L), nor does the attack require and existing preconditions (AT:N). The attack is authenticated, but the level of authentication does not matter (PR:L), nor is any user interaction required (UI:N). The attack leads to a full compromised (VC:H/VI:H/VA:H), and compromised devices can be used to pivot into networks that should potentially not be accessible (SC:L/SI:L/SA:H). Becuase this is an EV charger handing significant power, there is a potential safety impact (S:P). This attack can be automated (AU:Y).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct OS command injection (CWE-78) in publicly accessible web UI CGI binary enables remote exploitation of a public-facing application for root-level code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-56975Shared CWE-434
CVE-2026-27636Shared CWE-434
CVE-2026-42062Shared CWE-78
CVE-2025-41709Shared CWE-78
CVE-2026-1730Shared CWE-434
CVE-2025-70457Shared CWE-434
CVE-2025-60803Shared CWE-78
CVE-2025-12161Shared CWE-434
CVE-2024-41339Shared CWE-434
CVE-2024-46479Shared CWE-434

Affected Assets

Divd
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the command injection flaw via firmware update to version 24120701 or later, directly eliminating the vulnerability.

prevent

Mandates validation of information inputs to the action.exe CGI binary, neutralizing special elements in crafted firmware files to prevent OS command injection.

prevent

Enforces least privilege on the action.exe CGI process to prevent root-level command execution even if injection occurs through low-privilege web UI access.

References