Iocharger AC Model Chargers Arbitrary File Download Vulnerability

An authenticated vulnerability allowing arbitrary file downloads has been identified in Iocharger firmware for AC model chargers prior to version 24120701. The issue arises from a CGI script that can be exploited to download any file from the filesystem, including sensitive files such as '/etc/shadow', the CGI script source code, binaries, and configuration files. While the vulnerability has a high likelihood of exploitation, it requires authentication. The impact is critical, as it allows for the extraction of confidential files from the device.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the device, including system binaries and configuration files, potentially allowing for further exploitation or manipulation of the device.

Remediation

Iocharger has released a firmware update version 24120701 that addresses this vulnerability. For chargers that have not yet been updated, it is recommended to contact the distributor or Iocharger directly to obtain the latest firmware. Additionally, users should change any default passwords and ensure the charger is not exposed to untrusted networks.