alpitronic Hypercharger EV charger

Plan Patch8.2ICS-CERT ICSA-24-130-02May 9, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Successful exploitation of this vulnerability could result in an attacker disabling the Hypercharger device, bypassing payment, or accessing payment data. The vulnerability exists because the device uses default credentials and a management interface that was not intended for internet exposure. Attackers can exploit this by accessing the unprotected interface remotely if the device is connected to the public internet or untrusted networks. alpitronic has not released a firmware patch and states no fix is available for existing devices; instead, the vendor is applying runtime mitigations including automatic password reset and disabling exposed interfaces. The primary mitigation is to change default credentials immediately and ensure devices are not accessible from the public internet.

What this means

What could happen

An attacker with network access to an exposed Hypercharger could disable charging operations, bypass payment systems, or steal payment card data from the device's payment interface.

Who's at risk

Electric vehicle charging facility operators and municipal/commercial entities deploying alpitronic Hypercharger devices, particularly those exposed to untrusted networks or with default credentials still active. This affects any charging network using Hypercharger units with internet-facing management interfaces.

How it could be exploited

An attacker probes for publicly exposed Hypercharger management interfaces on the internet, logs in using default credentials, and accesses the payment system or device control functions to disable charging, alter billing, or exfiltrate payment information.

Prerequisites

Default credentials not changed (username and password set to factory defaults)
Management interface exposed to the public internet or untrusted network
Network connectivity to the Hypercharger's management port

remotely exploitableno authentication required (default credentials)low complexityno patch availableaffects payment systems

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

Hypercharger EV charger: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImmediately change default credentials on all Hypercharger devices to unique, strong passwords

WORKAROUNDVerify that the Hypercharger management interface is not exposed to the public internet; if exposed, disable or restrict access immediately

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement network segmentation to isolate Hypercharger devices to an internal, access-controlled network separate from public-facing systems

HARDENINGUse firewall rules to restrict access to the Hypercharger management interface to authorized internal networks only

Mitigations - no patch available

0/1

Hypercharger EV charger: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIf remote management access is required, use a VPN with current security patches and strong authentication

CVEs (1)

CVE-2024-4622

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dcf01aa6-a9e3-4578-88f6-48dbbd17f80c