CVE-2024-43648
Vulnerability from cvelistv5
Published
2025-01-09 07:56
Modified
2025-03-11 13:07
Summary
Command injection in the <redacted> parameter of a <redacted>.exe request leads to remote code execution as the root user. This issue affects Iocharger firmware for AC models before version 24120701. Likelihood: Moderate – This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all <redacted> fields. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a payload. Impact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services. CVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). If is a full system compromise, potentially fully compromising confidentiality, integrity and availability of the devicer (VC:H/VI:H/VA:H).  A compromised charger can be used to "pivot" onto networks that should otherwise be closed, cause a low confidentiality and interity impact on subsequent systems. (SC:L/SI:L/SA:H). Because this device is an EV charger handing significant amounts of power, we suspect this vulnerability can have a safety impact (S:P). The attack can be automated (AU:Y).
Impacted products
Show details on NVD website


{
   containers: {
      adp: [
         {
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "LOW",
                     attackVector: "NETWORK",
                     availabilityImpact: "HIGH",
                     baseScore: 8.8,
                     baseSeverity: "HIGH",
                     confidentialityImpact: "HIGH",
                     integrityImpact: "HIGH",
                     privilegesRequired: "LOW",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2024-43648",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-01-09T14:45:36.579487Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-01-09T14:46:04.780Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Iocharger firmware for AC models",
               vendor: "Iocharger",
               versions: [
                  {
                     lessThan: "24120701",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               value: "Wilco van Beijnum",
            },
            {
               lang: "en",
               type: "analyst",
               value: "Harm van den Brink (DIVD)",
            },
            {
               lang: "en",
               type: "analyst",
               value: "Frank Breedijk (DIVD)",
            },
         ],
         datePublic: "2025-01-09T00:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Command injection in the &lt;redacted&gt; parameter of a &lt;redacted&gt;.exe request leads to remote code execution as the root user.<br><br>This issue affects Iocharger firmware for AC models before version 24120701.<br><br>Likelihood: Moderate – This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all &lt;redacted&gt; fields. The attacker will also need a (low privilege) account to gain access to the &lt;redacted&gt; binary, or convince a user with such access to execute a payload.<br><br>Impact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services.<br><br>CVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). If is a full system compromise, potentially fully compromising confidentiality, integrity and availability of the devicer (VC:H/VI:H/VA:H).&nbsp; A compromised charger can be used to \"pivot\" onto networks that should otherwise be closed, cause a low confidentiality and interity impact on subsequent systems. (SC:L/SI:L/SA:H).&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">Because this device is an EV charger handing significant amounts of power, we suspect this vulnerability can have a safety impact (</span>S:P). The attack can be automated (AU:Y).<br>",
                  },
               ],
               value: "Command injection in the <redacted> parameter of a <redacted>.exe request leads to remote code execution as the root user.\n\nThis issue affects Iocharger firmware for AC models before version 24120701.\n\nLikelihood: Moderate – This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all <redacted> fields. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a payload.\n\nImpact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services.\n\nCVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). If is a full system compromise, potentially fully compromising confidentiality, integrity and availability of the devicer (VC:H/VI:H/VA:H).  A compromised charger can be used to \"pivot\" onto networks that should otherwise be closed, cause a low confidentiality and interity impact on subsequent systems. (SC:L/SI:L/SA:H). Because this device is an EV charger handing significant amounts of power, we suspect this vulnerability can have a safety impact (S:P). The attack can be automated (AU:Y).",
            },
         ],
         impacts: [
            {
               capecId: "CAPEC-88",
               descriptions: [
                  {
                     lang: "en",
                     value: "CAPEC-88 OS Command Injection",
                  },
               ],
            },
         ],
         metrics: [
            {
               cvssV4_0: {
                  Automatable: "YES",
                  Recovery: "NOT_DEFINED",
                  Safety: "PRESENT",
                  attackComplexity: "LOW",
                  attackRequirements: "NONE",
                  attackVector: "NETWORK",
                  baseScore: 9.3,
                  baseSeverity: "CRITICAL",
                  privilegesRequired: "LOW",
                  providerUrgency: "NOT_DEFINED",
                  subAvailabilityImpact: "HIGH",
                  subConfidentialityImpact: "LOW",
                  subIntegrityImpact: "LOW",
                  userInteraction: "NONE",
                  valueDensity: "NOT_DEFINED",
                  vectorString: "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/S:P/AU:Y",
                  version: "4.0",
                  vulnAvailabilityImpact: "HIGH",
                  vulnConfidentialityImpact: "HIGH",
                  vulnIntegrityImpact: "HIGH",
                  vulnerabilityResponseEffort: "NOT_DEFINED",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-78",
                     description: "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
            {
               descriptions: [
                  {
                     cweId: "CWE-250",
                     description: "CWE-250: Execution with Unnecessary Privileges",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
            {
               descriptions: [
                  {
                     description: "OWASP-A03: Injection",
                     lang: "en",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-03-11T13:07:11.657Z",
            orgId: "b87402ff-ae37-4194-9dae-31abdbd6f217",
            shortName: "DIVD",
         },
         references: [
            {
               tags: [
                  "third-party-advisory",
               ],
               url: "https://csirt.divd.nl/DIVD-2024-00035/",
            },
            {
               tags: [
                  "third-party-advisory",
               ],
               url: "https://csirt.divd.nl/CVE-2024-43648/",
            },
            {
               tags: [
                  "product",
               ],
               url: "https://iocharger.com",
            },
         ],
         source: {
            advisory: "DIVD-2024-00035",
            discovery: "EXTERNAL",
         },
         title: "Authenticated command injection via <redacted>.exe <redacted> parameter",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "b87402ff-ae37-4194-9dae-31abdbd6f217",
      assignerShortName: "DIVD",
      cveId: "CVE-2024-43648",
      datePublished: "2025-01-09T07:56:46.114Z",
      dateReserved: "2024-08-14T09:27:41.767Z",
      dateUpdated: "2025-03-11T13:07:11.657Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2024-43648\",\"sourceIdentifier\":\"csirt@divd.nl\",\"published\":\"2025-01-09T08:15:26.980\",\"lastModified\":\"2025-01-09T15:15:15.977\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Command injection in the <redacted> parameter of a <redacted>.exe request leads to remote code execution as the root user.\\n\\nThis issue affects Iocharger firmware for AC models before version 24120701.\\n\\nLikelihood: Moderate – This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all <redacted> fields. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a payload.\\n\\nImpact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services.\\n\\nCVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). If is a full system compromise, potentially fully compromising confidentiality, integrity and availability of the devicer (VC:H/VI:H/VA:H).  A compromised charger can be used to \\\"pivot\\\" onto networks that should otherwise be closed, cause a low confidentiality and interity impact on subsequent systems. (SC:L/SI:L/SA:H). Because this device is an EV charger handing significant amounts of power, we suspect this vulnerability can have a safety impact (S:P). The attack can be automated (AU:Y).\"},{\"lang\":\"es\",\"value\":\"La inyección de comandos en el parámetro  de una solicitud .exe provoca la ejecución remota de código como usuario superusuario. Este problema afecta al firmware de Iocharger para modelos de aire acondicionado anteriores a la versión 24120701. Probabilidad: moderada: esta acción no es un lugar común para que se produzcan vulnerabilidades de inyección de comandos. Por lo tanto, es probable que un atacante solo pueda encontrar esta vulnerabilidad mediante ingeniería inversa del firmware o probándola en todos los campos . El atacante también necesitará una cuenta (con privilegios bajos) para obtener acceso al binario  o convencer a un usuario con dicho acceso para que ejecute un payload. Impacto: crítico: el atacante tiene control total sobre la estación de carga como usuario root y puede agregar, modificar y eliminar archivos y servicios de forma arbitraria. Aclaración de CVSS. El ataque se puede ejecutar a través de cualquier conexión de red que la estación esté escuchando y que sirva a la interfaz web (AV:N), y no hay ninguna medida de seguridad adicional que se deba eludir (AC:L), el ataque no depende de condiciones previas (AT:N). El ataque requiere autenticación, pero el nivel de autenticación es irrelevante (PR:L), no requiere interacción del usuario (UI:N). Se trata de un compromiso total del sistema, que potencialmente compromete por completo la confidencialidad, integridad y disponibilidad del dispositivo (VC:H/VI:H/VA:H). Un cargador comprometido se puede utilizar para \\\"pivotar\\\" hacia redes que de otro modo deberían estar cerradas, lo que causa un impacto bajo en la confidencialidad e interidad de los sistemas posteriores (SC:L/SI:L/SA:H). Debido a que este dispositivo es un cargador EV que gestiona cantidades significativas de energía, sospechamos que esta vulnerabilidad puede tener un impacto en la seguridad (S:P). El ataque se puede automatizar (AU:Y).\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"csirt@divd.nl\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnerableSystemConfidentiality\":\"HIGH\",\"vulnerableSystemIntegrity\":\"HIGH\",\"vulnerableSystemAvailability\":\"HIGH\",\"subsequentSystemConfidentiality\":\"LOW\",\"subsequentSystemIntegrity\":\"LOW\",\"subsequentSystemAvailability\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"PRESENT\",\"automatable\":\"YES\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"csirt@divd.nl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"},{\"lang\":\"en\",\"value\":\"CWE-250\"}]}],\"references\":[{\"url\":\"https://csirt.divd.nl/CVE-2024-43648/\",\"source\":\"csirt@divd.nl\"},{\"url\":\"https://csirt.divd.nl/DIVD-2024-00035/\",\"source\":\"csirt@divd.nl\"},{\"url\":\"https://iocharger.com\",\"source\":\"csirt@divd.nl\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-43648\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-09T14:45:36.579487Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-09T14:45:59.680Z\"}}], \"cna\": {\"title\": \"Authenticated command injection via <redacted>.exe <redacted> parameter\", \"source\": {\"advisory\": \"DIVD-2024-00035\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Wilco van Beijnum\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"Harm van den Brink (DIVD)\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"Frank Breedijk (DIVD)\"}], \"impacts\": [{\"capecId\": \"CAPEC-88\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-88 OS Command Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"PRESENT\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.3, \"Automatable\": \"YES\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/S:P/AU:Y\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Iocharger\", \"product\": \"Iocharger firmware for AC models\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"24120701\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2025-01-09T00:00:00.000Z\", \"references\": [{\"url\": \"https://csirt.divd.nl/DIVD-2024-00035/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://csirt.divd.nl/CVE-2024-43648/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://iocharger.com\", \"tags\": [\"product\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Command injection in the <redacted> parameter of a <redacted>.exe request leads to remote code execution as the root user.\\n\\nThis issue affects Iocharger firmware for AC models before version 24120701.\\n\\nLikelihood: Moderate \\u2013 This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all <redacted> fields. The attacker will also need a (low privilege) account to gain access to the <redacted> binary, or convince a user with such access to execute a payload.\\n\\nImpact: Critical \\u2013 The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services.\\n\\nCVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). If is a full system compromise, potentially fully compromising confidentiality, integrity and availability of the devicer (VC:H/VI:H/VA:H).\\u00a0 A compromised charger can be used to \\\"pivot\\\" onto networks that should otherwise be closed, cause a low confidentiality and interity impact on subsequent systems. (SC:L/SI:L/SA:H).\\u00a0Because this device is an EV charger handing significant amounts of power, we suspect this vulnerability can have a safety impact (S:P). The attack can be automated (AU:Y).\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Command injection in the &lt;redacted&gt; parameter of a &lt;redacted&gt;.exe request leads to remote code execution as the root user.<br><br>This issue affects Iocharger firmware for AC models before version 24120701.<br><br>Likelihood: Moderate \\u2013 This action is not a common place for command injection vulnerabilities to occur. Thus, an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all &lt;redacted&gt; fields. The attacker will also need a (low privilege) account to gain access to the &lt;redacted&gt; binary, or convince a user with such access to execute a payload.<br><br>Impact: Critical \\u2013 The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and delete files and services.<br><br>CVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). If is a full system compromise, potentially fully compromising confidentiality, integrity and availability of the devicer (VC:H/VI:H/VA:H).&nbsp; A compromised charger can be used to \\\"pivot\\\" onto networks that should otherwise be closed, cause a low confidentiality and interity impact on subsequent systems. (SC:L/SI:L/SA:H).&nbsp;<span style=\\\"background-color: rgb(255, 255, 255);\\\">Because this device is an EV charger handing significant amounts of power, we suspect this vulnerability can have a safety impact (</span>S:P). The attack can be automated (AU:Y).<br>\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-250\", \"description\": \"CWE-250: Execution with Unnecessary Privileges\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"description\": \"OWASP-A03: Injection\"}]}], \"providerMetadata\": {\"orgId\": \"b87402ff-ae37-4194-9dae-31abdbd6f217\", \"shortName\": \"DIVD\", \"dateUpdated\": \"2025-03-11T13:07:11.657Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-43648\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-11T13:07:11.657Z\", \"dateReserved\": \"2024-08-14T09:27:41.767Z\", \"assignerOrgId\": \"b87402ff-ae37-4194-9dae-31abdbd6f217\", \"datePublished\": \"2025-01-09T07:56:46.114Z\", \"assignerShortName\": \"DIVD\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.