{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-4622", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-05-07T19:41:26.741Z", "datePublished": "2024-05-15T16:54:08.150Z", "dateUpdated": "2024-08-01T20:47:41.193Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Hypercharger EV Charger", "vendor": "alpitronic", "versions": [{"status": "affected", "version": "all versions"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Hanno B\u00f6ck reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\nIf misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface \nprotected by authentication. If the default credentials are not changed,\n an attacker can use public knowledge to access the device as an \nadministrator.\n\n"}], "value": "If misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface \nprotected by authentication. If the default credentials are not changed,\n an attacker can use public knowledge to access the device as an \nadministrator."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.3, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1392", "description": "CWE-1392", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-05-15T16:54:08.150Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-130-02"}], "source": {"advisory": "ICSA-24-130-02", "discovery": "EXTERNAL"}, "title": "alpitronic Hypercharger EV Charger Use of Default Credentials", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n<p>alpitronic recommends users change the default credentials for all charging devices.</p>\n<p>alpitronic advises that the interface should be connected only to \ninternal segregated and access-controlled networks and not exposed to \nthe public internet/web.</p>\n<p>When informed of these vulnerabilities, alpitronic, in conjunction \nwith and/or on behalf of affected clients, disabled the interface on any\n exposed devices and all clients were contacted directly and reminded \nthat the interface is not intended to be visible on the public Internet \nand that default passwords should be changed.</p>\n<p>alpitronic are also applying mitigations to all devices in the field \nand to new devices in production. New devices will come with unique \npasswords. Devices using the default password will be automatically \nassigned new unique passwords, or at first access if the device has not \nyet been installed. Devices with the default passwords already changed \nwill not be affected. New passwords can be obtained by scanning the \nQR-Code inside the charger or in DMS portal hyperdoc. Contact \nHypercharger support with any questions about newly assigned passwords.</p>\n\n"}], "value": "alpitronic recommends users change the default credentials for all charging devices.\n\n\nalpitronic advises that the interface should be connected only to \ninternal segregated and access-controlled networks and not exposed to \nthe public internet/web.\n\n\nWhen informed of these vulnerabilities, alpitronic, in conjunction \nwith and/or on behalf of affected clients, disabled the interface on any\n exposed devices and all clients were contacted directly and reminded \nthat the interface is not intended to be visible on the public Internet \nand that default passwords should be changed.\n\n\nalpitronic are also applying mitigations to all devices in the field \nand to new devices in production. New devices will come with unique \npasswords. Devices using the default password will be automatically \nassigned new unique passwords, or at first access if the device has not \nyet been installed. Devices with the default passwords already changed \nwill not be affected. New passwords can be obtained by scanning the \nQR-Code inside the charger or in DMS portal hyperdoc. Contact \nHypercharger support with any questions about newly assigned passwords."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4622", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-15T17:32:04.444201Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:54:05.980Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:47:41.193Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-130-02", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-130-02", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:47:41.193Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4622", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-15T17:32:04.444201Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:24.395Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "alpitronic Hypercharger EV Charger Use of Default Credentials", "source": {"advisory": "ICSA-24-130-02", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Hanno B\u00f6ck reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "alpitronic", "product": "Hypercharger EV Charger", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-130-02"}], "workarounds": [{"lang": "en", "value": "alpitronic recommends users change the default credentials for all charging devices.\n\n\nalpitronic advises that the interface should be connected only to \ninternal segregated and access-controlled networks and not exposed to \nthe public internet/web.\n\n\nWhen informed of these vulnerabilities, alpitronic, in conjunction \nwith and/or on behalf of affected clients, disabled the interface on any\n exposed devices and all clients were contacted directly and reminded \nthat the interface is not intended to be visible on the public Internet \nand that default passwords should be changed.\n\n\nalpitronic are also applying mitigations to all devices in the field \nand to new devices in production. New devices will come with unique \npasswords. Devices using the default password will be automatically \nassigned new unique passwords, or at first access if the device has not \nyet been installed. Devices with the default passwords already changed \nwill not be affected. New passwords can be obtained by scanning the \nQR-Code inside the charger or in DMS portal hyperdoc. Contact \nHypercharger support with any questions about newly assigned passwords.", "supportingMedia": [{"type": "text/html", "value": "\n<p>alpitronic recommends users change the default credentials for all charging devices.</p>\n<p>alpitronic advises that the interface should be connected only to \ninternal segregated and access-controlled networks and not exposed to \nthe public internet/web.</p>\n<p>When informed of these vulnerabilities, alpitronic, in conjunction \nwith and/or on behalf of affected clients, disabled the interface on any\n exposed devices and all clients were contacted directly and reminded \nthat the interface is not intended to be visible on the public Internet \nand that default passwords should be changed.</p>\n<p>alpitronic are also applying mitigations to all devices in the field \nand to new devices in production. New devices will come with unique \npasswords. Devices using the default password will be automatically \nassigned new unique passwords, or at first access if the device has not \nyet been installed. Devices with the default passwords already changed \nwill not be affected. New passwords can be obtained by scanning the \nQR-Code inside the charger or in DMS portal hyperdoc. Contact \nHypercharger support with any questions about newly assigned passwords.</p>\n\n", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "If misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface \nprotected by authentication. If the default credentials are not changed,\n an attacker can use public knowledge to access the device as an \nadministrator.", "supportingMedia": [{"type": "text/html", "value": "\nIf misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface \nprotected by authentication. If the default credentials are not changed,\n an attacker can use public knowledge to access the device as an \nadministrator.\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1392", "description": "CWE-1392"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-05-15T16:54:08.150Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4622", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:47:41.193Z", "dateReserved": "2024-05-07T19:41:26.741Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2024-05-15T16:54:08.150Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "If misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface \nprotected by authentication. If the default credentials are not changed,\n an attacker can use public knowledge to access the device as an \nadministrator."}, {"lang": "es", "value": "Si est\u00e1n mal configurados, los dispositivos de carga alpitronic Hypercharger EV pueden exponer una interfaz web protegida por autenticaci\u00f3n. Si no se cambian las credenciales predeterminadas, un atacante puede utilizar el conocimiento p\u00fablico para acceder al dispositivo como administrador."}], "id": "CVE-2024-4622", "lastModified": "2024-05-15T18:35:11.453", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "NONE"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2024-05-15T17:15:16.010", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-130-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1392"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}