Iocharger AC Models Command Injection Vulnerability Leading to Root Access

A command injection vulnerability has been identified in Iocharger firmware for AC models, all versions prior to 25010801. This vulnerability allows authenticated users to execute OS commands as root on the charging station. The issue arises from improper neutralization of special elements used in commands, enabling OS command injection. While the vulnerability is present in the web interface, it may be more challenging to exploit as it requires access to a specific binary, similar to one used in the Iocharger Pedestal charging station. An attacker would need a low-privilege account or to persuade a user with such access to send a crafted HTTP request.

Impact

Exploitation of this vulnerability grants full control over the affected charging station as the root user, allowing unauthorized addition, modification, and deletion of files and services. Given that this is an EV charger managing significant power, there are potential safety implications.

Remediation

Iocharger has released firmware version 25010801, which addresses this vulnerability. The firmware is available through Iocharger distributors. Users should also change default passwords and ensure their Iocharger devices are not exposed to untrusted networks.