Iocharger Command Injection Vulnerability in AC Model Chargers

A command injection vulnerability has been identified in Iocharger firmware for AC model chargers, affecting versions prior to 24120701. This vulnerability allows authenticated users to execute operating system commands as the root user on the charging station. The issue arises from improper neutralization of special elements used in commands, enabling OS command injection. The vulnerability can be exploited by finding the name of a specific CGI script and using a low-privilege account to access it, or by convincing a user with the necessary access to execute a request.

Impact

Exploitation of this vulnerability leads to full control over the affected charging station, allowing the attacker to arbitrarily add, modify, and delete files and services. Additionally, compromised devices can be used to pivot into networks that may not be accessible otherwise. Given that this is an electric vehicle charger handling significant power, there are potential safety implications.

Remediation

Iocharger has released a firmware update version 24120701 that addresses this vulnerability. For chargers requiring internet connectivity, it is recommended to place the device behind a NAT gateway and block all incoming traffic. After updating the firmware, change the default passwords of the device, as they can be easily extracted from the firmware.