Iocharger Firmware For Ac Models vulnerabilities
15 known vulnerabilities affecting iocharger/iocharger_firmware_for_ac_models.
Total CVEs
15
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH9MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2024-43648P2HIGHCVSS 8.8fixed in 241207012025-01-09
CVE-2024-43648 [HIGH] CWE-78 CVE-2024-43648: Command injection in the <redacted> parameter of a <redacted>.exe request leads to remote code execu
Command injection in the parameter of a .exe request leads to remote code execution as the root user.
This issue affects Iocharger firmware for AC models before version 24120701.
Likelihood: Moderate – This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerabilit
nvd
CVE-2024-43649P2HIGHCVSS 8.8fixed in 241207012025-01-09
CVE-2024-43649 [HIGH] CWE-78 CVE-2024-43649: Authenticated command injection in the filename of a <redacted>.exe request leads to remote code exe
Authenticated command injection in the filename of a .exe request leads to remote code execution as the root user.
This issue affects Iocharger firmware for AC models before version 24120701.
Likelihood: Moderate – This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this
nvd
CVE-2024-43654P2HIGHCVSS 8.8fixed in 250108012025-01-09
CVE-2024-43654 [HIGH] CWE-78 CVE-2024-43654: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Iocharger firmware for AC models allows OS Command Injection as root
This issue affects all Iocharger AC EV charger models on a firmware version before 25010801.
Likelihood: Moderate – The binary does not seem to be used by the web interface, so it mig
nvd
CVE-2024-43651P2CRITICALCVSS 9.3fixed in 241207012025-01-09
CVE-2024-43651 [CRITICAL] CWE-78 CVE-2024-43651: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability al
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root
This issue affects Iocharger firmware for AC models before version 241207101
Likelihood: Moderate – The binary does not seem to be used by the web interface, so it might be more difficult to find. It seems to be lar
nvd
CVE-2024-43650P2CRITICALCVSS 9.3fixed in 241207012025-01-09
CVE-2024-43650 [CRITICAL] CWE-78 CVE-2024-43650: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Iocharger firmware for AC models allows OS Command Injection as root
This issue affects firmware versions before 24120701.
Likelihood: Moderate – The binary does not seem to be used by the web interface, so it might be more difficult to find. It s
nvd
CVE-2024-43653P2HIGHCVSS 8.8fixed in 241207012025-01-09
CVE-2024-43653 [HIGH] CWE-78 CVE-2024-43653: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability a
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root
This issue affects Iocharger firmware for AC model chargers before version 24120701.
Likelihood: Moderate – The binary does not seem to be used by the web interface, so it might be more difficult to find. It seems to be
nvd
CVE-2024-43663P2CRITICALCVSS 9.8fixed in 241207012025-01-09
CVE-2024-43663 [CRITICAL] CWE-121 CVE-2024-43663: There are many buffer overflow vulnerabilities present in several CGI binaries of the charging stati
There are many buffer overflow vulnerabilities present in several CGI binaries of the charging station.This issue affects Iocharger firmware for AC model chargers beforeversion 24120701.
Likelihood: High – Given the prevalence of these buffer overflows, and the clear error message of the web server, an attacker is very likely to be able to find t
nvd
CVE-2024-43655P2CRITICALCVSS 9.3fixed in 241207012025-01-09
CVE-2024-43655 [CRITICAL] CWE-78 CVE-2024-43655: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability al
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root
This issue affects Iocharger firmware for AC model chargers before version 24120701.
Likelihood: Moderate – The attacker will first need to find the name of the script, and needs a (low privilege) account to gain a
nvd
CVE-2024-43656P2HIGHCVSS 8.8fixed in 241207012025-01-09
CVE-2024-43656 [HIGH] CWE-78 CVE-2024-43656: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability al
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root
This issue affects Iocharger firmware for AC model chargers before version 24120701.
Likelihood: Moderate – It might be difficult for an attacker to identify the file structure of the directory, and then modify the bac
nvd
CVE-2024-43657P2HIGHCVSS 8.8fixed in 20241207012025-01-09
CVE-2024-43657 [HIGH] CWE-78 CVE-2024-43657: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability al
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root
This issue affects Iocharger firmware for AC model chargers before version 24120701.
Likelihood: High. However, the attacker will need a (low privilege) account to gain access to the action.exe CGI binary and upload th
nvd
CVE-2024-43661P2CRITICALCVSS 9.8fixed in 241207012025-01-09
CVE-2024-43661 [CRITICAL] CWE-121 CVE-2024-43661: The <redacted>.so library, which is used by <redacted>, is vulnerable to a buffer overflow in the co
The .so library, which is used by , is
vulnerable to a buffer overflow in the code that handles the deletion
of certificates. This buffer overflow can be triggered by providing a
long file path to the action of the .exe CGI binary or
to the .sh CGI script. This binary or script will write this
file path to , which is then
read by .so
This issue
nvd
CVE-2024-43659P3HIGHCVSS 7.2fixed in 250108012025-01-09
CVE-2024-43659 [HIGH] CWE-256 CVE-2024-43659: After gaining access to the firmware of a charging station, a file at <redacted> can be accessed to
After gaining access to the firmware of a charging station, a file at can be accessed to obtain default credentials that are the same across all Iocharger AC model EV chargers.
This issue affects Iocharger firmware for AC models before firmware version 25010801.
The issue is addressed by requiring a mandatory password change on first login, it is sti
nvd
CVE-2024-43660P3HIGHCVSS 7.5fixed in 241207012025-01-09
CVE-2024-43660 [HIGH] CWE-552 CVE-2024-43660: The CGI script <redacted>.sh can be used to download any file on the filesystem. This issue affects
The CGI script .sh can be used to download any file on the filesystem.
This issue affects Iocharger firmware for AC model chargers beforeversion 24120701.
Likelihood: High, but credentials required.
Impact: Critical – The script can be used to download any file on the filesystem, including sensitive files such as /etc/shadow, the CGI script source c
nvd
CVE-2024-43658P3HIGHCVSS 7.2fixed in 250108012025-01-09
CVE-2024-43658 [HIGH] CWE-27 CVE-2024-43658: Patch traversal, External Control of File Name or Path vulnerability in Iocharger Home allows delet
Patch traversal, External Control of File Name or Path vulnerability in Iocharger Home allows deletion of arbitrary files
This issue affects Iocharger firmware for AC model before firmware version 25010801.
Likelihood: High, but requires authentication
Impact: Critical – The vulnerability can be used to delete any file on the charging station, severel
nvd
CVE-2024-43662P3MEDIUMCVSS 5.3fixed in 241207012025-01-09
CVE-2024-43662 [MEDIUM] CWE-434 CVE-2024-43662: The <redacted>.exe or <redacted>.exe CGI binary can be used to upload arbitrary files to /tmp/upload
The .exe or .exe CGI binary can be used to upload arbitrary files to /tmp/upload/ or /tmp/ respectively as any user, although the user interface for uploading files is only shown to the iocadmin user.
This issue affects Iocharger firmware for AC models before version 24120701.
Likelihood: Moderate – An attacker will need to have knowledge of this
nvd