Home

Description

Affected devices beacon to eCharge cloud infrastructure asking if there are any command they should run. This communication is established over an insecure channel since peer verification is disabled everywhere. Therefore, remote unauthenticated users  suitably positioned on the network between an EV charger controller and eCharge infrastructure can execute arbitrary commands with elevated privileges on affected devices. This issue affects cph2_echarge_firmware: through 2.0.4.

PUBLISHED Reserved 2024-11-24 | Published 2024-11-24 | Updated 2024-11-25 | Assigner ONEKEY




CRITICAL: 9.0CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-345 Insufficient Verification of Data Authenticity

Product status

Default status
unaffected

Any version
affected

Credits

Quentin Kaiser from ONEKEY Research Labs finder

References

www.onekey.com/...g-stations-analysis-of-echarge-controllers third-party-advisory

cve.org (CVE-2024-11666)

nvd.nist.gov (CVE-2024-11666)

Download JSON