Iocharger Command Injection Vulnerability in AC Models Prior to Version 24120701 Allowing Remote Code Execution

A command injection vulnerability has been identified in the Iocharger firmware for AC models prior to version 24120701. This vulnerability allows authenticated users to execute arbitrary commands via a specific parameter in a <redacted>.exe request, leading to remote code execution as the root user. The vulnerability is not commonly found in this context, making it likely that an attacker would need to reverse-engineer the firmware or test various <redacted> fields to discover it. Access to the <redacted> binary is required, either by having a low-privilege account or by persuading a user with such access to execute a malicious payload.

Impact

Exploitation of this vulnerability gives the attacker full control over the affected charging station as the root user, with the ability to add, modify, and delete files and services. This compromise is considered critical, as it potentially disrupts the safe operation of the EV charger, which manages significant power levels.

Remediation

Users are advised to update to Iocharger firmware version 24120701 or later, which is available through Iocharger distributors. If the distributor has not been contacted about the update, users should reach out to them. For direct assistance, Iocharger can be contacted via email at sales@iocharger.com. Additionally, it is recommended to change default passwords and ensure that Iocharger devices are not exposed to untrusted networks.