Iocharger AC Model Chargers OS Command Injection Vulnerability Allowing Root Access

A command injection vulnerability has been identified in Iocharger firmware for AC model chargers, affecting versions prior to 24120701. This vulnerability allows authenticated users to execute arbitrary OS commands as root on the charging station. The issue arises when uploading firmware, as a crafted firmware file can execute a shell script during processing, leading to full control over the device. Exploitation requires access to the action.exe CGI binary, either directly or by convincing a user with the necessary privileges to upload the malicious firmware.

Impact

Exploitation of this vulnerability allows for unauthorized OS command execution as the root user on the affected charging station, with the potential to arbitrarily add, modify, or delete files and services. Additionally, compromised devices can be used to access restricted networks, and, due to the nature of EV chargers handling significant power, there are potential safety implications.

Reproduction

To reproduce this vulnerability, an authenticated user must upload a firmware file containing a custom shell script to an Iocharger AC model charger. The action.exe CGI binary will execute the script, allowing for OS command injection as root.

Remediation

Iocharger has released a firmware update version 24120701 that addresses this vulnerability. For version 25010801, which fixes an additional three vulnerabilities, users should contact their Iocharger distributor or reach out to Iocharger directly at sales@iocharger.com.