CVE-2024-43658
CVE-2024-43658 is a high-severity vulnerability with a CVSS 4.0 base score of 7.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-27.
Key facts
- Severity: High (CVSS 4.0 base score 7.2)
- EPSS exploit prediction: 1% (40th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-40402
- Weakness: CWE-27
- Published:
- Last modified:
Description
Patch traversal, External Control of File Name or Path vulnerability in Iocharger Home allows deletion of arbitrary files This issue affects Iocharger firmware for AC model before firmware version 25010801. Likelihood: High, but requires authentication Impact: Critical – The vulnerability can be used to delete any file on the charging station, severely impacting the integrity of the charging station. Furthermore, the vulnerability could be used to delete binaries required for the functioning of the charging station, severely impacting the availability of the charging station. CVSS clarification: Any network interface serving the web ui is vulnerable (AV:N) and there are not additional security measures to circumvent (AC:L), nor does the attack require and existing preconditions (AT:N). The attack is authenticated, but the level of authentication does not matter (PR:L), nor is any user interaction required (UI:N). The attack leads compromised of the integrity and availability of the device (VVC:N/VI:H/VA:H), with no effect on subsequent systems (SC:N/SI:N/SA:N). We do not forsee a safety impact (S:N). This attack can be automated (AU:Y).
Frequently asked questions
- What is CVE-2024-43658?
- Patch traversal, External Control of File Name or Path vulnerability in Iocharger Home allows deletion of arbitrary files This issue affects Iocharger firmware for AC model before firmware version 25010801. Likelihood: High, but requires authentication Impact: Critical – The vulnerability can be used to delete any file on the charging station, severely impacting the integrity of the charging station. Furthermore, the vulnerability could be used to delete binaries required for the functioning of the charging station, severely impacting the availability of the charging station. CVSS clarification: Any network interface serving the web ui is vulnerable (AV:N) and there are not additional security measures to circumvent (AC:L), nor does the attack require and existing preconditions (AT:N). The attack is authenticated, but the level of authentication does not matter (PR:L), nor is any user interaction required (UI:N). The attack leads compromised of the integrity and availability of the device (VVC:N/VI:H/VA:H), with no effect on subsequent systems (SC:N/SI:N/SA:N). We do not forsee a safety impact (S:N). This attack can be automated (AU:Y).
- How severe is CVE-2024-43658?
- CVE-2024-43658 has a CVSS 4.0 base score of 7.2, rated high severity.
- Is CVE-2024-43658 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (40th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2024-43658?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2024-43658 have an EU (EUVD) identifier?
- Yes. CVE-2024-43658 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-40402.
- When was CVE-2024-43658 published?
- CVE-2024-43658 was published on 2025-01-09 and last updated on 2026-06-17.
References
Other CWE-27 vulnerabilities
- CVE-2024-21896 — Critical (CVSS 9.8): The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the…
- CVE-2025-10438 — High (CVSS 8.6): Path Traversal: 'dir/../../filename' vulnerability in Yordam Information Technology Consulting Education and Electrical…
- CVE-2025-58761 — High (CVSS 8.6): Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `real_pms_image_proxy` endpoint in…
- CVE-2024-24809 — High (CVSS 8.5): Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted…
- CVE-2023-20090 — Medium (CVSS 6.7): A vulnerability in Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to elevate privileges…
- CVE-2025-52237 — Medium (CVSS 6.5): An issue in the component /stl/actions/download?filePath of SSCMS v7.3.1 allows attackers to execute a directory…