Iocharger Command Injection Vulnerability in AC Models Allowing Root Access

A command injection vulnerability has been identified in Iocharger firmware for AC models prior to version 241207101. This vulnerability allows authenticated users to execute operating system commands as the root user on the affected charging station. The issue arises from improper handling of special elements in commands, which could be exploited by convincing a user with low privileges to send a crafted HTTP request. Once exploited, the attacker could gain full control over the charging station, including the ability to add, modify, or delete files and services. Additionally, because this is an electric vehicle charger managing significant power, there are potential safety implications.

Impact

Exploitation of this vulnerability leads to unauthorized command execution as the root user on the charging station, allowing full control over the device. A compromised charger could be used to access restricted network areas, and given the charger's role in managing high power levels, there could be safety risks involved.

Remediation

Users are advised to update to Iocharger firmware version 24120701 or later, which addresses this vulnerability. Firmware version 25010801 is also available and fixes additional vulnerabilities. If not contacted by a distributor for the update, users should reach out to Iocharger directly at sales@iocharger.com.