CVE-2024-23967
published 2024-09-28CVE-2024-23967: Autel MaxiCharger AC Elite Business C50 WebSocket Base64 Decoding Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows…
PriorityP355high8CVSS 3.1
AVAACLPRLUINSUCHIHAH
EPSS
0.89%
54.9th percentile
Autel MaxiCharger AC Elite Business C50 WebSocket Base64 Decoding Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Business C50 chargers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the handling of base64-encoded data within WebSocket messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device.
Was ZDI-CAN-23230
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| autel | maxicharger_ac_elite_business_c50 | — | — |
| autel | maxicharger_ac_elite_business_c50_firmware | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Trendmicro
From Pwn2Own Automotive: More Autel Maxicharger Vulnerabilities
blogs_trendmicro·2024-10-03·CVSS 8.0
[HIGH] From Pwn2Own Automotive: More Autel Maxicharger Vulnerabilities
## From Pwn2Own Automotive: More Autel Maxicharger Vulnerabilities
Learn about Autel Maxicharger vulnerabilities that were covered at Pwn2Own Automotive.
By: Zero Day Initiative 2024/10/03 Read time: ( words)
Save to Folio
This blog post highlights two additional vulnerabilities in the Autel Maxicharger that were exploited at Pwn2Own Automotive 2024. Details of the patches are also included.
Autel has been informed and has deployed a firmware update (v1.35) to address both of these issues. If you want to read about other Autel bugs reported at Pwn2Own, you check out our earlier blog here .
The First Vulnerability: CVE-2024-23967 (ZDI-CAN-23230)
Researchers from Computest Sector 7 identified and exploited a stack-based buffer overflow in v1.32 of the Autel firmware. This vulnerabilit
Trendmicro
From Pwn2Own Automotive: More Autel Maxicharger Vulnerabilities
blogs_trendmicro·2024-10-03·CVSS 8.0
[HIGH] From Pwn2Own Automotive: More Autel Maxicharger Vulnerabilities
# From Pwn2Own Automotive: More Autel Maxicharger Vulnerabilities
Learn about Autel Maxicharger vulnerabilities that were covered at Pwn2Own Automotive.
By: Zero Day Initiative
2024/10/03
Read time: ( words)
Save to Folio
This blog post highlights two additional vulnerabilities in the Autel Maxicharger that were exploited at Pwn2Own Automotive 2024. Details of the patches are also included.
Autel has been informed and has deployed a firmware update (v1.35) to address both of these issues. If you want to read about other Autel bugs reported at Pwn2Own, you check out our earlier blog here.
The First Vulnerability: CVE-2024-23967 (ZDI-CAN-23230)
Researchers from Computest Sector 7 identified and exploited a stack-based buffer overflow in v1.32 of the Autel firmware. This vulnerability
2024-09-28
Published