We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-11666

Unauthenticated Remote Command Injection in eCharge Salia PLCC



Description

Affected devices beacon to eCharge cloud infrastructure asking if there are any command they should run. This communication is established over an insecure channel since peer verification is disabled everywhere. Therefore, remote unauthenticated users  suitably positioned on the network between an EV charger controller and eCharge infrastructure can execute arbitrary commands with elevated privileges on affected devices. This issue affects cph2_echarge_firmware: through 2.0.4.

Reserved 2024-11-24 | Published 2024-11-24 | Updated 2024-11-25 | Assigner ONEKEY


CRITICAL: 9.0CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-345 Insufficient Verification of Data Authenticity

Product status

Default status
unaffected

Any version
affected

Credits

Quentin Kaiser from ONEKEY Research Labs finder

References

www.onekey.com/...g-stations-analysis-of-echarge-controllers third-party-advisory

cve.org (CVE-2024-11666)

nvd.nist.gov (CVE-2024-11666)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-11666

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.