Affected devices beacon to eCharge cloud infrastructure asking if there are any command they should run. This communication is established over an insecure channel since peer verification is disabled everywhere. Therefore, remote unauthenticated users  suitably positioned on the network between an EV charger controller and eCharge infrastructure can execute arbitrary commands with elevated privileges on affected devices. This issue affects cph2_echarge_firmware: through 2.0.4.
History

Tue, 03 Dec 2024 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Echarge
Echarge salia Plcc
Echarge salia Plcc Firmware
CPEs cpe:2.3:h:echarge:salia_plcc:-:*:*:*:*:*:*:*
cpe:2.3:o:echarge:salia_plcc_firmware:*:*:*:*:*:*:*:*
Vendors & Products Echarge
Echarge salia Plcc
Echarge salia Plcc Firmware

Mon, 25 Nov 2024 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Hardy-barth
Hardy-barth cph2 Echarge Firmware
CPEs cpe:2.3:o:hardy-barth:cph2_echarge_firmware:*:*:*:*:*:*:*:*
Vendors & Products Hardy-barth
Hardy-barth cph2 Echarge Firmware
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 25 Nov 2024 00:30:00 +0000

Type Values Removed Values Added
References

Sun, 24 Nov 2024 23:30:00 +0000


Sun, 24 Nov 2024 22:45:00 +0000

Type Values Removed Values Added
Description Affected devices beacon to eCharge cloud infrastructure asking if there are any command they should run. This communication is established over an insecure channel since peer verification is disabled everywhere. Therefore, remote unauthenticated users  suitably positioned on the network between an EV charger controller and eCharge infrastructure can execute arbitrary commands with elevated privileges on affected devices. This issue affects cph2_echarge_firmware: through 2.0.4.
Title Unauthenticated Remote Command Injection in eCharge Salia PLCC
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: ONEKEY

Published: 2024-11-24T22:36:59.989Z

Updated: 2024-11-25T01:28:57.027Z

Reserved: 2024-11-24T22:27:19.421Z

Link: CVE-2024-11666

cve-icon Vulnrichment

Updated: 2024-11-25T01:28:53.472Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-24T23:15:04.030

Modified: 2024-12-03T15:40:14.907

Link: CVE-2024-11666

cve-icon Redhat

No data.