CVE-2024-4622 alpitronic CVE debrief

Who should care

Organizations operating alpitronic Hypercharger EV charging infrastructure, particularly those with remote management requirements or internet-connected charging networks. Critical infrastructure operators, EV fleet managers, and facility security teams responsible for OT/ICS network segmentation should prioritize assessment.

Technical summary

The alpitronic Hypercharger EV charger's web interface, when misconfigured for network exposure, relies on authentication that can be bypassed using publicly known default credentials. Successful authentication grants administrative device access. The vulnerability is network-exploitable with low attack complexity, requiring no privileges or user interaction. CVSS 3.0 scoring emphasizes availability impact (A:H) with limited confidentiality impact (C:L). alpitronic's response includes production changes mandating unique passwords, automatic password reassignment for default-configured field devices, and direct client outreach for exposed systems.

Defensive priority

HIGH

Recommended defensive actions

• Immediately inventory all alpitronic Hypercharger EV charging devices and verify web interface exposure status
• Change default credentials on all devices; new devices now ship with unique passwords retrievable via QR code or DMS portal
• Ensure charging device web interfaces are connected only to internal segregated networks with access controls, never exposed to public internet
• Contact Hypercharger support for assistance with newly assigned passwords on field-updated devices
• Review network segmentation for EV charging infrastructure against ICS-CERT recommended practices

Evidence notes

Advisory ICSA-24-130-02 confirms alpitronic Hypercharger EV charger as affected product. CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H yields score 8.2. Remediation timeline indicates vendor-coordinated response with field mitigations and production changes for unique passwords.

Official resources