CVE-2024-43660
Published: 09 January 2025
Summary
CVE-2024-43660 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Divd (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique /etc/passwd and /etc/shadow (T1003.008); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-43660 is a vulnerability in the Iocharger firmware for AC model chargers, affecting versions prior to 24120701. The issue stems from a CGI script, <redacted>.sh, that can be abused to download any file on the device's filesystem. This flaw is classified under CWE-552 (Files or Directories Accessible to External Parties) and has a CVSS 4.0 vector of AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:Y, emphasizing high confidentiality impact with low-privilege authentication required.
An attacker with valid credentials can exploit this over any network connection where the charger's web interface is accessible, without needing user interaction or additional preconditions. Successful exploitation allows arbitrary file downloads, including sensitive data like /etc/shadow, CGI script source code, binaries, and configuration files, leading to critical confidentiality breaches. The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) underscores the network accessibility and high impact, though the attack is isolated to the device with no integrity, availability, or subsequent system effects.
Advisories from DIVD CSIRT detail the vulnerability at https://csirt.divd.nl/CVE-2024-43660/ and https://csirt.divd.nl/DIVD-2024-00035/, with the vendor site at https://iocharger.com. Mitigation involves updating to firmware version 24120701 or later to address the exposed CGI script.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40404
Vulnerability details
The CGI script <redacted>.sh can be used to download any file on the filesystem. This issue affects Iocharger firmware for AC model chargers beforeversion 24120701. Likelihood: High, but credentials required. Impact: Critical – The script can be used to download…
more
any file on the filesystem, including sensitive files such as /etc/shadow, the CGI script source code or binaries and configuration files. CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y CVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). The confidentiality of all files of the devicd can be compromised (VC:H/VI:N/VA:N). There is no impact on subsequent systems. (SC:N/SI:N/SA:N). While this device is an EV charger handing significant amounts of power, this attack in isolation does not have a safety impact. The attack can be automated (AU:Y).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables arbitrary filesystem file downloads (incl. /etc/shadow) via exposed CGI, facilitating OS credential dumping and local data exfiltration.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access, directly preventing the CGI script from allowing low-privileged users to download arbitrary filesystem files like /etc/shadow.
Limits privileges of authenticated users to only necessary access, mitigating the ability of low-privilege accounts to read sensitive files via the vulnerable CGI script.
Validates inputs to the CGI script to block unauthorized file path specifications that enable arbitrary file downloads.