cve-2024-4622
Vulnerability from cvelistv5
Published
2024-05-15 16:54
Modified
2024-08-01 20:47
Severity ?
EPSS score ?
Summary
alpitronic Hypercharger EV Charger Use of Default Credentials
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | alpitronic | Hypercharger EV Charger |
Version: all versions |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-15T17:32:04.444201Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:54:05.980Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:41.193Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-130-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hypercharger EV Charger",
"vendor": "alpitronic",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hanno B\u00f6ck reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nIf misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface \nprotected by authentication. If the default credentials are not changed,\n an attacker can use public knowledge to access the device as an \nadministrator.\n\n"
}
],
"value": "If misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface \nprotected by authentication. If the default credentials are not changed,\n an attacker can use public knowledge to access the device as an \nadministrator."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1392",
"description": "CWE-1392",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-15T16:54:08.150Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-130-02"
}
],
"source": {
"advisory": "ICSA-24-130-02",
"discovery": "EXTERNAL"
},
"title": "alpitronic Hypercharger EV Charger Use of Default Credentials",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\u003cp\u003ealpitronic recommends users change the default credentials for all charging devices.\u003c/p\u003e\n\u003cp\u003ealpitronic advises that the interface should be connected only to \ninternal segregated and access-controlled networks and not exposed to \nthe public internet/web.\u003c/p\u003e\n\u003cp\u003eWhen informed of these vulnerabilities, alpitronic, in conjunction \nwith and/or on behalf of affected clients, disabled the interface on any\n exposed devices and all clients were contacted directly and reminded \nthat the interface is not intended to be visible on the public Internet \nand that default passwords should be changed.\u003c/p\u003e\n\u003cp\u003ealpitronic are also applying mitigations to all devices in the field \nand to new devices in production. New devices will come with unique \npasswords. Devices using the default password will be automatically \nassigned new unique passwords, or at first access if the device has not \nyet been installed. Devices with the default passwords already changed \nwill not be affected. New passwords can be obtained by scanning the \nQR-Code inside the charger or in DMS portal hyperdoc. Contact \nHypercharger support with any questions about newly assigned passwords.\u003c/p\u003e\n\n"
}
],
"value": "alpitronic recommends users change the default credentials for all charging devices.\n\n\nalpitronic advises that the interface should be connected only to \ninternal segregated and access-controlled networks and not exposed to \nthe public internet/web.\n\n\nWhen informed of these vulnerabilities, alpitronic, in conjunction \nwith and/or on behalf of affected clients, disabled the interface on any\n exposed devices and all clients were contacted directly and reminded \nthat the interface is not intended to be visible on the public Internet \nand that default passwords should be changed.\n\n\nalpitronic are also applying mitigations to all devices in the field \nand to new devices in production. New devices will come with unique \npasswords. Devices using the default password will be automatically \nassigned new unique passwords, or at first access if the device has not \nyet been installed. Devices with the default passwords already changed \nwill not be affected. New passwords can be obtained by scanning the \nQR-Code inside the charger or in DMS portal hyperdoc. Contact \nHypercharger support with any questions about newly assigned passwords."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-4622",
"datePublished": "2024-05-15T16:54:08.150Z",
"dateReserved": "2024-05-07T19:41:26.741Z",
"dateUpdated": "2024-08-01T20:47:41.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-4622\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2024-05-15T17:15:16.010\",\"lastModified\":\"2024-05-15T18:35:11.453\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"If misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface \\nprotected by authentication. If the default credentials are not changed,\\n an attacker can use public knowledge to access the device as an \\nadministrator.\"},{\"lang\":\"es\",\"value\":\"Si est\u00e1n mal configurados, los dispositivos de carga alpitronic Hypercharger EV pueden exponer una interfaz web protegida por autenticaci\u00f3n. Si no se cambian las credenciales predeterminadas, un atacante puede utilizar el conocimiento p\u00fablico para acceder al dispositivo como administrador.\"}],\"metrics\":{},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1392\"}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-24-130-02\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.