{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T01:40:13.976","vulnerabilities":[{"cve":{"id":"CVE-2024-43650","sourceIdentifier":"csirt@divd.nl","published":"2025-01-09T08:15:27.417","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Iocharger firmware for AC models allows OS Command Injection as root\n\nThis issue affects  firmware versions before 24120701.\n\nLikelihood: Moderate – The <redacted> binary does not seem to be used by the web interface, so it might be more difficult to find. It seems to be largely the same binary as used by the Iocharger Pedestal charging station, however. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a crafted HTTP request.\n\nImpact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete\nfiles and services.\n\nCVSS clarification: The attack can be executed over any network connection serving the web interface (AV:N). There are no additional measures that need to be circumvented (AC:L) or attack preconditions (AT:N). THe attack is privileged, but the level does not matter (PR:L) and does not require user interaction (UI:N). Attack leads to full system compromised (VC:H/VI:H/VA:H) and compromised devices can be used to \"pivot\" to other networks that should be unreachable (SC:L/SI:L/SA:H). Because this an EV charger using high power, there is a potential safety impact (S:P). The attack can be automated (AU:Y)."},{"lang":"es","value":"Vulnerabilidad de neutralización incorrecta de elementos especiales utilizados en un comando ('Inyección de comando') en el firmware de Iocharger para modelos AC permite la inyección de comandos del sistema operativo como superusuario este problema afecta a las versiones de firmware anteriores a 24120701. Probabilidad: moderada: el binario  no parece ser utilizado por la interfaz web, por lo que puede ser más difícil de encontrar. Sin embargo, parece ser en gran medida el mismo binario que utiliza la estación de carga Pedestal de Iocharger. El atacante también necesitará una cuenta (con privilegios bajos) para obtener acceso al binario  o convencer a un usuario con dicho acceso para que ejecute una solicitud HTTP manipulada. Impacto: crítico: el atacante tiene control total sobre la estación de carga como usuario superusuario y puede agregar, modificar y eliminar archivos y servicios de forma arbitraria. Aclaración de CVSS: el ataque se puede ejecutar sobre cualquier conexión de red que sirva a la interfaz web (AV:N). No hay medidas adicionales que deban eludirse (AC:L) ni condiciones previas de ataque (AT:N). El ataque es privilegiado, pero el nivel no importa (PR:L) y no requiere la interacción del usuario (UI:N). El ataque provoca la vulneración total del sistema (VC:H/VI:H/VA:H) y los dispositivos vulnerados pueden utilizarse para \"pivotar\" hacia otras redes que deberían ser inaccesibles (SC:L/SI:L/SA:H). Debido a que se trata de un cargador de vehículos eléctricos que utiliza alta potencia, existe un posible impacto en la seguridad (S:P). El ataque puede automatizarse (AU:Y)."}],"metrics":{"cvssMetricV40":[{"source":"csirt@divd.nl","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"PRESENT","Automatable":"YES","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"csirt@divd.nl","type":"Secondary","description":[{"lang":"en","value":"CWE-78"},{"lang":"en","value":"CWE-250"}]}],"references":[{"url":"https://csirt.divd.nl/CVE-2024-43650/","source":"csirt@divd.nl"},{"url":"https://csirt.divd.nl/DIVD-2024-00035/","source":"csirt@divd.nl"},{"url":"https://iocharger.com","source":"csirt@divd.nl"}]}}]}