CVE-2024-4622

Summary

If misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface protected by authentication. If the default credentials are not changed, an attacker can use public knowledge to access the device as an administrator.

Affected Software

VendorProductVersion RangeStatus
alpitronicHypercharger EV Chargerall versionsaffected

Weaknesses

  • CWE-1392: CWE-1392

Workarounds

alpitronic recommends users change the default credentials for all charging devices.

alpitronic advises that the interface should be connected only to internal segregated and access-controlled networks and not exposed to the public internet/web.

When informed of these vulnerabilities, alpitronic, in conjunction with and/or on behalf of affected clients, disabled the interface on any exposed devices and all clients were contacted directly and reminded that the interface is not intended to be visible on the public Internet and that default passwords should be changed.

alpitronic are also applying mitigations to all devices in the field and to new devices in production. New devices will come with unique passwords. Devices using the default password will be automatically assigned new unique passwords, or at first access if the device has not yet been installed. Devices with the default passwords already changed will not be affected. New passwords can be obtained by scanning the QR-Code inside the charger or in DMS portal hyperdoc. Contact Hypercharger support with any questions about newly assigned passwords.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References