Cyber Resilience

CVE-2024-43660

High

Published: 09 January 2025

Published
09 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 33.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43660 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Divd (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique /etc/passwd and /etc/shadow (T1003.008); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-43660 is a vulnerability in the Iocharger firmware for AC model chargers, affecting versions prior to 24120701. The issue stems from a CGI script, <redacted>.sh, that can be abused to download any file on the device's filesystem. This flaw is classified under CWE-552 (Files or Directories Accessible to External Parties) and has a CVSS 4.0 vector of AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:Y, emphasizing high confidentiality impact with low-privilege authentication required.

An attacker with valid credentials can exploit this over any network connection where the charger's web interface is accessible, without needing user interaction or additional preconditions. Successful exploitation allows arbitrary file downloads, including sensitive data like /etc/shadow, CGI script source code, binaries, and configuration files, leading to critical confidentiality breaches. The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) underscores the network accessibility and high impact, though the attack is isolated to the device with no integrity, availability, or subsequent system effects.

Advisories from DIVD CSIRT detail the vulnerability at https://csirt.divd.nl/CVE-2024-43660/ and https://csirt.divd.nl/DIVD-2024-00035/, with the vendor site at https://iocharger.com. Mitigation involves updating to firmware version 24120701 or later to address the exposed CGI script.

EU & UK References

Vulnerability details

The CGI script <redacted>.sh can be used to download any file on the filesystem. This issue affects Iocharger firmware for AC model chargers beforeversion 24120701. Likelihood: High, but credentials required. Impact: Critical – The script can be used to download…

more

any file on the filesystem, including sensitive files such as /etc/shadow, the CGI script source code or binaries and configuration files. CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y CVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). The confidentiality of all files of the devicd can be compromised (VC:H/VI:N/VA:N). There is no impact on subsequent systems. (SC:N/SI:N/SA:N). While this device is an EV charger handing significant amounts of power, this attack in isolation does not have a safety impact. The attack can be automated (AU:Y).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1003.008 /etc/passwd and /etc/shadow Credential Access
Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Vulnerability directly enables arbitrary filesystem file downloads (incl. /etc/shadow) via exposed CGI, facilitating OS credential dumping and local data exfiltration.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2018-25164Shared CWE-552
CVE-2026-39871Shared CWE-552
CVE-2024-12917Shared CWE-552
CVE-2026-34392Shared CWE-552
CVE-2025-26525Shared CWE-552
CVE-2026-35446Shared CWE-552
CVE-2025-69428Shared CWE-552
CVE-2025-41240Shared CWE-552
CVE-2024-48864Shared CWE-552
CVE-2026-2331Shared CWE-552

Affected Assets

Divd
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access, directly preventing the CGI script from allowing low-privileged users to download arbitrary filesystem files like /etc/shadow.

prevent

Limits privileges of authenticated users to only necessary access, mitigating the ability of low-privilege accounts to read sensitive files via the vulnerable CGI script.

prevent

Validates inputs to the CGI script to block unauthorized file path specifications that enable arbitrary file downloads.

References