CVE-2024-4622
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
If misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface protected by authentication. If the default credentials are not changed, an attacker can use public knowledge to access the device as an administrator.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| alpitronic | Hypercharger EV Charger | all versions | affected |
Weaknesses
- CWE-1392: CWE-1392
Workarounds
alpitronic recommends users change the default credentials for all charging devices.
alpitronic advises that the interface should be connected only to internal segregated and access-controlled networks and not exposed to the public internet/web.
When informed of these vulnerabilities, alpitronic, in conjunction with and/or on behalf of affected clients, disabled the interface on any exposed devices and all clients were contacted directly and reminded that the interface is not intended to be visible on the public Internet and that default passwords should be changed.
alpitronic are also applying mitigations to all devices in the field and to new devices in production. New devices will come with unique passwords. Devices using the default password will be automatically assigned new unique passwords, or at first access if the device has not yet been installed. Devices with the default passwords already changed will not be affected. New passwords can be obtained by scanning the QR-Code inside the charger or in DMS portal hyperdoc. Contact Hypercharger support with any questions about newly assigned passwords.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://industrydecarbonization.com/news/insecure-password-allowed-administrative-access-to-electric-vehicle-chargers.html
- https://www.cisa.gov/news-events/ics-advisories/icsa-24-130-02
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.