{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-10T21:14:12.477","vulnerabilities":[{"cve":{"id":"CVE-2024-43651","sourceIdentifier":"csirt@divd.nl","published":"2025-01-09T08:15:27.590","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root\nThis issue affects Iocharger firmware for AC models before version 241207101\n\nLikelihood: Moderate – The <redacted> binary does not seem to be used by the web interface, so it might be more difficult to find. It seems to be largely the same binary as used by the Iocharger Pedestal charging station, however. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a crafted HTTP request.\n\nImpact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services.\n\nCVSS clarification: Any network connection serving the web interface is vulnerable (AV:N) and there are no additional measures to circumvent (AC:L) nor does the attack require special conditions to be present (AT:N). The attack requires authentication, but the level does not matter (PR:L), nor is user interaction required (UI:N). The attack leads to a full compromised (VC:H/VI:H/VA:H) and a compromised device can be used to potentially \"pivot\" into a network that should nopt be reachable (SC:L/SI:L/SA:H). Because this is an EV charger handing significant power, there is a potential safety impact (S:P). THe attack can be autometed (AU:Y)."},{"lang":"es","value":"Vulnerabilidad de neutralización incorrecta de elementos especiales utilizados en un comando ('Inyección de comando') permite la inyección de comandos del sistema operativo como superusuario este problema afecta al firmware de Iocharger para modelos AC anteriores a la versión 241207101 Probabilidad: Moderada: el binario  no parece ser utilizado por la interfaz web, por lo que podría ser más difícil de encontrar. Sin embargo, parece ser en gran medida el mismo binario que utiliza la estación de carga Pedestal de Iocharger. El atacante también necesitará una cuenta (con privilegios bajos) para obtener acceso al binario  o convencer a un usuario con dicho acceso para que ejecute una solicitud HTTP manipulada. Impacto: Crítico: el atacante tiene control total sobre la estación de carga como usuario superusuario y puede agregar, modificar y eliminar archivos y servicios de forma arbitraria. Aclaración de CVSS: cualquier conexión de red que sirva a la interfaz web es vulnerable (AV:N) y no hay medidas adicionales para eludirla (AC:L) ni el ataque requiere que se presenten condiciones especiales (AT:N). El ataque requiere autenticación, pero el nivel no importa (PR:L), ni se requiere interacción del usuario (UI:N). El ataque lleva a un ataque completo (VC:H/VI:H/VA:H) y un dispositivo atacado puede usarse para \"pivotar\" potencialmente hacia una red que no debería ser accesible (SC:L/SI:L/SA:H). Debido a que se trata de un cargador de vehículos eléctricos que gestiona una cantidad significativa de energía, existe un posible impacto en la seguridad (S:P). El ataque puede automatizarse (AU:Y)."}],"metrics":{"cvssMetricV40":[{"source":"csirt@divd.nl","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"PRESENT","Automatable":"YES","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"csirt@divd.nl","type":"Secondary","description":[{"lang":"en","value":"CWE-78"},{"lang":"en","value":"CWE-250"}]}],"references":[{"url":"https://csirt.divd.nl/CVE-2024-43651/","source":"csirt@divd.nl"},{"url":"https://csirt.divd.nl/DIVD-2024-00035/","source":"csirt@divd.nl"},{"url":"https://iocharger.com","source":"csirt@divd.nl"}]}}]}