CVE-2024-23967
📋 TL;DR
This vulnerability allows network-adjacent attackers to execute arbitrary code on Autel MaxiCharger AC Elite Business C50 electric vehicle chargers by sending specially crafted WebSocket messages. Attackers can bypass authentication to exploit a stack-based buffer overflow in the base64 decoding function. Organizations using these chargers in business or public charging environments are affected.
💻 Affected Systems
- Autel MaxiCharger AC Elite Business C50
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the charging station allowing attackers to disable charging, manipulate billing, access connected vehicle data, or pivot to other network systems.
Likely Case
Disruption of charging services, unauthorized access to charging station controls, and potential data exfiltration from the device.
If Mitigated
Limited impact with proper network segmentation and monitoring, though service disruption remains possible.
🎯 Exploit Status
Authentication bypass is required but documented, making exploitation feasible for skilled attackers
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with Autel for specific firmware version
Vendor Advisory: https://www.autel.com/security-advisories
Restart Required: Yes
Instructions:
1. Contact Autel support for latest firmware
2. Download firmware update package
3. Upload to charger via management interface
4. Apply update and restart charger
🔧 Temporary Workarounds
Network Segmentation
allIsolate charging stations on separate VLAN with strict firewall rules
WebSocket Access Restriction
allBlock WebSocket connections to chargers from untrusted networks
🧯 If You Can't Patch
- Place chargers on isolated network segment with no internet access
- Implement strict network monitoring for WebSocket traffic to charger IPs
🔍 How to Verify
Check if Vulnerable:
Check firmware version in charger web interface and compare against Autel's patched version listCheck Version:
Check via charger web interface: System > About or similar menuVerify Fix Applied:
Verify firmware version matches patched version from vendor advisory📡 Detection & Monitoring
Log Indicators:
- Unusual WebSocket connection patterns
- Multiple failed authentication attempts followed by successful WebSocket connections
- Large base64-encoded payloads in network logs
Network Indicators:
- WebSocket traffic to charger management ports (typically 80/443) with unusually large payloads
- Base64-encoded data exceeding typical message sizes
SIEM Query:
source="network_traffic" dest_port=80 OR dest_port=443 protocol="websocket" payload_size>10000