Iocharger AC Models Plaintext Default Credentials Vulnerability

A vulnerability exists in Iocharger AC model EV chargers running firmware prior to 25010801, allowing default credentials to be extracted from the firmware. This issue arises because all chargers of this model initially shared the same password, and the lack of a mandatory password change in earlier firmware versions leaves many devices vulnerable. Once obtained, these credentials could enable unauthorized access to the charging stations, where attackers could execute arbitrary commands through the System → Custom page.

Impact

Exploitation of this vulnerability allows attackers to log into Iocharger charging stations using the extracted default credentials. This access could be used to execute arbitrary commands on the device, potentially leading to a full compromise of the charging station. Given that these are EV chargers handling significant power, there is a potential safety impact as well.

Remediation

Iocharger has released firmware version 25010801, which addresses this vulnerability by requiring a password change on first login. However, users are advised to change passwords on older models as well. The firmware update is available through Iocharger distributors. If not contacted by a distributor, users can reach out to Iocharger directly via email for the update.