CVE-2024-43663

Critical

Published: 09 January 2025

Published

09 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0446 89.2th percentile

Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43663 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Divd (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the inadequate bounds checking in CGI binaries that causes buffer overflows by requiring validation of malformed inputs.

SI-2 Flaw Remediation good match

preventrecover

Ensures timely remediation of known flaws like these buffer overflows through firmware updates to version 24120701 or later.

SI-16 Memory Protection good match

prevent

Implements memory protections such as ASLR and other safeguards to mitigate remote code execution from buffer overflow exploitation.

NVD Description

There are many buffer overflow vulnerabilities present in several CGI binaries of the charging station.This issue affects Iocharger firmware for AC model chargers beforeversion 24120701. Likelihood: High – Given the prevalence of these buffer overflows, and the clear error message…

of the web server, an attacker is very likely to be able to find these vulnerabilities. Impact: Low – Usually, overflowing one of these buffers just causes a segmentation fault of the CGI binary, which causes the web server to return a 502 Bad Gateway error. However the webserver itself is not affected, and no DoS can be achieved. Abusing these buffer overflows in a meaningful way requires highly technical knowledge, especially since ASLR also seems to be enabled on the charging station. However, a skilled attacker might be able to use one of these buffer overflows to obtain remote code execution. CVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). The attack has a small impact on the availability of the device (VC:N/VI:N/VA:L). There is no impact on subsequent systems. (SC:N/SI:N/SA:N). While this device is an EV charger handing significant amounts of power, we do not expect this vulnerability to have a safety impact. The attack can be automated (AU:Y).

Deeper analysisAI

CVE-2024-43663 is a set of buffer overflow vulnerabilities (CWE-121) present in several CGI binaries within the Iocharger firmware for AC model electric vehicle chargers. These issues affect devices running firmware versions prior to 24120701. Published on 2025-01-09, the vulnerability stems from inadequate bounds checking in the CGI components, leading to potential memory corruption when processing malformed inputs.

The vulnerability can be exploited remotely over any network connection where the charging station's web interface is accessible (AV:N/AC:L/AT:N). While the provided CVSS clarification notes that authentication is required (PR:L) and typically results in a segmentation fault of the CGI binary—yielding a 502 Bad Gateway error with no denial-of-service on the web server—the formal CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates potential for high confidentiality, integrity, and availability impacts, including remote code execution. Exploitation likelihood is rated high due to the prevalence of overflows and clear web server error messages, though achieving meaningful code execution demands advanced skills given enabled ASLR. No user interaction is needed (UI:N), and attacks can be automated (AU:Y), but there is no expected safety impact despite the device's control over high-power charging.

Advisories from DIVD CSIRT (https://csirt.divd.nl/CVE-2024-43663/ and https://csirt.divd.nl/DIVD-2024-00035/) detail the issues, with the vendor site (https://iocharger.com) as a reference. Mitigation involves updating to Iocharger firmware version 24120701 or later to address the vulnerable CGI binaries.