{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-43649", "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "state": "PUBLISHED", "assignerShortName": "DIVD", "dateReserved": "2024-08-14T09:27:41.767Z", "datePublished": "2025-01-09T07:56:46.982Z", "dateUpdated": "2025-01-09T14:36:23.194Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "shortName": "DIVD", "dateUpdated": "2025-01-09T07:56:46.982Z"}, "title": "Authenticated command injection via <redacted>.exe <redacted> parameter", "datePublic": "2025-01-09T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-250", "description": "CWE-250: Execution with Unnecessary Privileges", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "OWASP-A03: Injection"}]}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "affected": [{"vendor": "Iocharger", "product": "Iocharger firmware for AC models", "versions": [{"status": "affected", "version": "0", "lessThan": "24120701", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Authenticated command injection in the filename of a <redacted>.exe request leads to remote code execution as the root user.\n\nThis issue affects Iocharger firmware for AC models before version 24120701.\n\nLikelihood: Moderate \u2013 This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all <redacted> fields. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a payload.\n\nImpact: Critical \u2013 The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services.\n\nCVSS clarification:\u00a0This attack can be performed over any network conenction serving the web interfacr (AV:N), and there are not additional mitigating measures that need to be circumvented (AC:L) or other prerequisites (AT:N). The attack does require privileges, but the level does not matter (PR:L), there is no user interaction required (UI:N). The attack leeds to a full compromised of the charger (VC:H/VI:H/VA:H) and a compromised charger can be used to \"pivot\" to networks that should normally not be reachable (SC:L/SI:L/SA:H). Because this is an EV chargers with significant pwoer, there is a potential safety imp0act (S:P). THis attack can be automated (AU:Y).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Authenticated command injection in the filename of a &lt;redacted&gt;.exe request leads to remote code execution as the root user.<br><br>This issue affects Iocharger firmware for AC models before version 24120701.<br><br>Likelihood: Moderate \u2013 This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all &lt;redacted&gt; fields. The attacker will also need a (low privilege) account to gain access to the &lt;redacted&gt; binary, or convince a user with such access to execute a payload.<br><br>Impact: Critical \u2013 The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services.<br><br>CVSS clarification:&nbsp;This attack can be performed over any network conenction serving the web interfacr (AV:N), and there are not additional mitigating measures that need to be circumvented (AC:L) or other prerequisites (AT:N). The attack does require privileges, but the level does not matter (PR:L), there is no user interaction required (UI:N). The attack leeds to a full compromised of the charger (VC:H/VI:H/VA:H) and a compromised charger can be used to \"pivot\" to networks that should normally not be reachable (SC:L/SI:L/SA:H). Because this is an EV chargers with significant pwoer, there is a potential safety imp0act (S:P). THis attack can be automated (AU:Y)."}]}], "references": [{"url": "https://csirt.divd.nl/DIVD-2024-00035/", "tags": ["third-party-advisory"]}, {"url": "https://csirt.divd.nl/CVE-2024-43649/", "tags": ["third-party-advisory"]}, {"url": "https://iocharger.com", "tags": ["product"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "Safety": "PRESENT", "Automatable": "YES", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/S:P/AU:Y"}}], "credits": [{"lang": "en", "value": "Wilco van Beijnum", "type": "finder"}, {"lang": "en", "value": "Harm van den Brink (DIVD)", "type": "analyst"}, {"lang": "en", "value": "Frank Breedijk (DIVD)", "type": "analyst"}], "source": {"advisory": "DIVD-2024-00035", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-09T14:35:10.473442Z", "id": "CVE-2024-43649", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T14:36:23.194Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-43649", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-09T14:35:10.473442Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T14:36:16.749Z"}}], "cna": {"title": "Authenticated command injection via <redacted>.exe <redacted> parameter", "source": {"advisory": "DIVD-2024-00035", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Wilco van Beijnum"}, {"lang": "en", "type": "analyst", "value": "Harm van den Brink (DIVD)"}, {"lang": "en", "type": "analyst", "value": "Frank Breedijk (DIVD)"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "PRESENT", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/S:P/AU:Y", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Iocharger", "product": "Iocharger firmware for AC models", "versions": [{"status": "affected", "version": "0", "lessThan": "24120701", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2025-01-09T00:00:00.000Z", "references": [{"url": "https://csirt.divd.nl/DIVD-2024-00035/", "tags": ["third-party-advisory"]}, {"url": "https://csirt.divd.nl/CVE-2024-43649/", "tags": ["third-party-advisory"]}, {"url": "https://iocharger.com", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Authenticated command injection in the filename of a <redacted>.exe request leads to remote code execution as the root user.\n\nThis issue affects Iocharger firmware for AC models before version 24120701.\n\nLikelihood: Moderate \u2013 This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all <redacted> fields. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a payload.\n\nImpact: Critical \u2013 The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services.\n\nCVSS clarification:\u00a0This attack can be performed over any network conenction serving the web interfacr (AV:N), and there are not additional mitigating measures that need to be circumvented (AC:L) or other prerequisites (AT:N). The attack does require privileges, but the level does not matter (PR:L), there is no user interaction required (UI:N). The attack leeds to a full compromised of the charger (VC:H/VI:H/VA:H) and a compromised charger can be used to \"pivot\" to networks that should normally not be reachable (SC:L/SI:L/SA:H). Because this is an EV chargers with significant pwoer, there is a potential safety imp0act (S:P). THis attack can be automated (AU:Y).", "supportingMedia": [{"type": "text/html", "value": "Authenticated command injection in the filename of a &lt;redacted&gt;.exe request leads to remote code execution as the root user.<br><br>This issue affects Iocharger firmware for AC models before version 24120701.<br><br>Likelihood: Moderate \u2013 This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all &lt;redacted&gt; fields. The attacker will also need a (low privilege) account to gain access to the &lt;redacted&gt; binary, or convince a user with such access to execute a payload.<br><br>Impact: Critical \u2013 The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services.<br><br>CVSS clarification:&nbsp;This attack can be performed over any network conenction serving the web interfacr (AV:N), and there are not additional mitigating measures that need to be circumvented (AC:L) or other prerequisites (AT:N). The attack does require privileges, but the level does not matter (PR:L), there is no user interaction required (UI:N). The attack leeds to a full compromised of the charger (VC:H/VI:H/VA:H) and a compromised charger can be used to \"pivot\" to networks that should normally not be reachable (SC:L/SI:L/SA:H). Because this is an EV chargers with significant pwoer, there is a potential safety imp0act (S:P). THis attack can be automated (AU:Y).", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-250", "description": "CWE-250: Execution with Unnecessary Privileges"}]}, {"descriptions": [{"lang": "en", "description": "OWASP-A03: Injection"}]}], "providerMetadata": {"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "shortName": "DIVD", "dateUpdated": "2025-01-09T07:56:46.982Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43649", "state": "PUBLISHED", "dateUpdated": "2025-01-09T14:36:23.194Z", "dateReserved": "2024-08-14T09:27:41.767Z", "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "datePublished": "2025-01-09T07:56:46.982Z", "assignerShortName": "DIVD"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authenticated command injection in the filename of a <redacted>.exe request leads to remote code execution as the root user.\n\nThis issue affects Iocharger firmware for AC models before version 24120701.\n\nLikelihood: Moderate \u2013 This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all <redacted> fields. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a payload.\n\nImpact: Critical \u2013 The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services.\n\nCVSS clarification:\u00a0This attack can be performed over any network conenction serving the web interfacr (AV:N), and there are not additional mitigating measures that need to be circumvented (AC:L) or other prerequisites (AT:N). The attack does require privileges, but the level does not matter (PR:L), there is no user interaction required (UI:N). The attack leeds to a full compromised of the charger (VC:H/VI:H/VA:H) and a compromised charger can be used to \"pivot\" to networks that should normally not be reachable (SC:L/SI:L/SA:H). Because this is an EV chargers with significant pwoer, there is a potential safety imp0act (S:P). THis attack can be automated (AU:Y)."}, {"lang": "es", "value": "La inyecci\u00f3n de comandos autenticados en el nombre de archivo de una solicitud .exe conduce a la ejecuci\u00f3n remota de c\u00f3digo como usuario superusuario. Este problema afecta al firmware de Iocharger para modelos AC anteriores a la versi\u00f3n 24120701. Probabilidad: moderada: esta acci\u00f3n no es un lugar com\u00fan para que se produzcan vulnerabilidades de inyecci\u00f3n de comandos. Por lo tanto, es probable que un atacante solo pueda encontrar esta vulnerabilidad mediante ingenier\u00eda inversa del firmware o prob\u00e1ndola en todos los campos . El atacante tambi\u00e9n necesitar\u00e1 una cuenta (con privilegios bajos) para obtener acceso al binario o convencer a un usuario con dicho acceso para que ejecute un payload. Impacto: cr\u00edtico: el atacante tiene control total sobre la estaci\u00f3n de carga como usuario ra\u00edz y puede agregar, modificar y eliminar archivos y servicios de forma arbitraria. Aclaraci\u00f3n de CVSS: este ataque se puede realizar a trav\u00e9s de cualquier conexi\u00f3n de red que brinde servicio a la interfaz web (AV:N) y no hay medidas de mitigaci\u00f3n adicionales que deban eludirse (AC:L) u otros requisitos previos (AT:N). El ataque requiere privilegios, pero el nivel no importa (PR:L), no se requiere interacci\u00f3n del usuario (UI:N). El ataque lleva a un cargador totalmente comprometido (VC:H/VI:H/VA:H) y un cargador comprometido puede usarse para \"pivotar\" hacia redes que normalmente no deber\u00edan ser accesibles (SC:L/SI:L/SA:H). Debido a que se trata de cargadores de veh\u00edculos el\u00e9ctricos con una potencia significativa, existe un posible impacto en la seguridad (S:P). Este ataque puede automatizarse (AU:Y)."}], "id": "CVE-2024-43649", "lastModified": "2025-01-09T15:15:16.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "YES", "availabilityRequirements": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "PRESENT", "subsequentSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "LOW", "subsequentSystemIntegrity": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "csirt@divd.nl", "type": "Secondary"}]}, "published": "2025-01-09T08:15:27.233", "references": [{"source": "csirt@divd.nl", "url": "https://csirt.divd.nl/CVE-2024-43649/"}, {"source": "csirt@divd.nl", "url": "https://csirt.divd.nl/DIVD-2024-00035/"}, {"source": "csirt@divd.nl", "url": "https://iocharger.com"}], "sourceIdentifier": "csirt@divd.nl", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-250"}], "source": "csirt@divd.nl", "type": "Secondary"}]}

{}