CVE-2024-11666

CRITICAL Year: 2024
CVSS v3 Score
9.8
Critical
Weakness Type
CWE-345
View all →

Vulnerability Description

Affected devices beacon to eCharge cloud infrastructure asking if there are any command they should run. This communication is established over an insecure channel since peer verification is disabled everywhere. Therefore, remote unauthenticated users suitably positioned on the network between an EV charger controller and eCharge infrastructure can execute arbitrary commands with elevated privileges on affected devices. This issue affects cph2_echarge_firmware: through 2.0.4.

Related Vulnerabilities

CVE-2013-2167

CRITICAL
CVSS:9.8(Critical)

python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass

CWE-3452013

CVE-2015-3956

CRITICAL
CVSS:9.8(Critical)

Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior accept drug libraries, firmware updates, pum...

CWE-3452015

CVE-2016-1000004

CRITICAL
CVSS:9.8(Critical)

Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0...

CWE-3452016

CVE-2017-3198

CRITICAL
CVSS:9.8(Critical)

GIGABYTE BRIX UEFI firmware does not cryptographically validate images prior to updating the system firmware. Additionally, the firmware updates are served over HTTP. An attacker can make arbitrary mo...

CWE-3452017

CVE-2018-19971

CRITICAL
CVSS:9.8(Critical)

JFrog Artifactory Pro 6.5.9 has Incorrect Access Control.

CWE-3452018

CVE-2019-11235

CRITICAL
CVSS:9.8(Critical)

FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection ...

CWE-3452019