CyberSecurityBoard
Sponsor Register Login

alpitronic Hypercharger EV Charger

RISK EVALUATION. Successful exploitation of this vulnerability could result in an attacker disabling the device, bypassing payment, or accessing payment data.
If misconfigured, the charging devices can expose a web interface protected by authentication.
If the default credentials are not changed, an attacker can use public knowledge to access the device as an administrator.
MITIGATIONS. alpitronic recommends users change the default credentials for all charging devices.
When informed of these vulnerabilities, alpitronic, in conjunction with and/or on behalf of affected clients, disabled the interface on any exposed devices and all clients were contacted directly and reminded that the interface is not intended to be visible on the public Internet and that default passwords should be changed.
Alpitronic are also applying mitigations to all devices in the field and to new devices in production.
Devices using the default password will be automatically assigned new unique passwords, or at first access if the device has not yet been installed.
Devices with the default passwords already changed will not be affected.
New passwords can be obtained by scanning the QR-Code inside the charger or in DMS portal hyperdoc.
Contact Hypercharger support with any questions about newly assigned passwords.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.
Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.


This Cyber News was published on www.cisa.gov. Publication date: Thu, 09 May 2024 15:35:09 +0000


Cyber News related to alpitronic Hypercharger EV Charger

alpitronic Hypercharger EV Charger - RISK EVALUATION. Successful exploitation of this vulnerability could result in an attacker disabling the device, bypassing payment, or accessing payment data. If misconfigured, the charging devices can expose a web interface protected by ...
8 months ago Cisa.gov
VoltSchemer attacks use wireless chargers to inject voice commands, fry phones - A team of academic researchers show that a new set of attacks called 'VoltSchemer' can inject voice commands to manipulate a smartphone's voice assistant through the magnetic field emitted by an off-the-shelf wireless charger. VoltSchemer can also be ...
11 months ago Bleepingcomputer.com
CVE-2024-35986 - In the Linux kernel, the following vulnerability has been resolved: ...
8 months ago
CVE-2024-4622 - If misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface ...
8 months ago
Risk of Denial of Service Attacks on Electric Vehicle Charging Stations - Recent studies have shown that 5.8 percent of all vehicles sold in 2022 will be electric, which is a large number considering the newness of the technology. Hackers are taking note of this and any potential vulnerabilities related to electric ...
2 years ago Hackread.com
CVE-2017-5622 - With OxygenOS before 4.0.3, when a charger is connected to a powered-off OnePlus 3 or 3T device, the platform starts with adbd enabled. Therefore, a malicious charger or a physical attacker can open up, without authorization, an ADB session with the ...
5 years ago
CVE-2021-47331 - In the Linux kernel, the following vulnerability has been resolved: usb: common: usb-conn-gpio: fix NULL pointer dereference of charger When power on system with OTG cable, IDDIG's interrupt arises before the charger registration, it will cause a ...
8 months ago Tenable.com
Vulnerabilities in Electric Vehicle Charging Systems Enable Interference and Unauthorized Use of Power. - Researchers have warned that many electric vehicle charging management systems are vulnerable to attack, which could allow hackers to cause disruption, steal energy, or access driver information. The security flaws were discovered by SaiFlow, an ...
2 years ago Securityweek.com
CVE-2024-43654 - Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Iocharger firmware for AC models allows OS Command Injection as root This issue affects all Iocharger AC EV charger models on a firmware version ...
3 weeks ago Tenable.com
CVE-2024-43649 - Authenticated command injection in the filename of a .exe request leads to remote code execution as the root user. This issue affects Iocharger firmware for AC models before version 24120701. Likelihood: Moderate – This action is not a common place ...
3 weeks ago Tenable.com
CVE-2024-43648 - Command injection in the parameter of a .exe request leads to remote code execution as the root user. This issue affects Iocharger firmware for AC models before version 24120701. Likelihood: Moderate – This action is not a common place for command ...
3 weeks ago Tenable.com
CVE-2021-22820 - A CWE-614 Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain an unauthorized access over a hijacked session to the charger station web server even after the legitimate user account holder has changed his ...
3 years ago
CVE-2018-21061 - An issue was discovered on Samsung mobile devices with N(7.1) and O(8.x) software. A fake charger can execute critical functions in the locked state. The Samsung ID is SVE-2016-6341 (August 2018). ...
4 years ago
CVE-2019-15069 - An unsafe authentication interface was discovered in Smart Battery A4, a multifunctional portable charger, firmware version ?< r1.7.9 . An attacker can bypass authentication without modifying device file and gain web page management privilege. ...
4 years ago
CVE-2019-15067 - An authentication bypass vulnerability discovered in Smart Battery A2-25DE, a multifunctional portable charger, firmware version ?< SECFS-2013-10-16-13:42:58-629c30ee-60c68be6. An attacker can bypass authentication and gain privilege by modifying ...
4 years ago
CVE-2019-15068 - A broken access control vulnerability in Smart Battery A4, a multifunctional portable charger, firmware version ?< r1.7.9 allows an attacker to get/reset administrator’s password without any authentication. ...
4 years ago
CVE-2021-25395 - A race condition in MFC charger driver prior to SMR MAY-2021 Release 1 allows local attackers to bypass signature check given a radio privilege is compromised. ...
3 years ago
CVE-2021-25394 - A use after free vulnerability via race condition in MFC charger driver prior to SMR MAY-2021 Release 1 allows arbitrary write given a radio privilege is compromised. ...
3 years ago
CVE-2023-30772 - The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device. ...
1 year ago
CVE-2024-5684 - An attacker with access to the private network (the charger is connected to) or local access to the Ethernet-Interface can exploit a faulty implementation of the JWT-library in order to bypass the password authentication to the web configuration ...
7 months ago
CVE-2020-8007 - The pwrstudio web application of EV Charger (in the server in Circontrol Raption through 5.6.2) is vulnerable to OS command injection via three fields of the configuration menu for ntpserver0, ntpserver1, and pingip. ...
2 months ago Tenable.com
CVE-2024-11666 - Affected devices beacon to eCharge cloud infrastructure asking if there are any command they should run. This communication is established over an insecure channel since peer verification is disabled everywhere. Therefore, remote unauthenticated ...
2 months ago Tenable.com
CVE-2010-0103 - UsbCharger.dll in the Energizer DUO USB battery charger software contains a backdoor that is implemented through the Arucer.dll file in the %WINDIR%\system32 directory, which allows remote attackers to download arbitrary programs onto a Windows PC, ...
14 years ago
CVE-2022-0878 - Electric Vehicle (EV) commonly utilises the Combined Charging System (CCS) for DC rapid charging. To exchange important messages such as the State of Charge (SoC) with the Electric Vehicle Supply Equipment (EVSE) CCS uses a high-bandwidth IP link ...
2 years ago
Securing the Electric Vehicle Charging Infrastructure - Because EVs can travel only a limited distance on a charge, having charging stations nearby is non-negotiable. Unless you live in the middle of absolute nowhere, you probably don't have to worry about finding a gas station nearby, but the same isn't ...
1 year ago Feeds.fortinet.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)