CVE-2024-7795 is a stack-based buffer overflow vulnerability identified in the Autel MaxiCharger AC Elite Business C50, a device used for charging electric vehicles. The flaw exists in the handling of the AppAuthenExchangeRandomNum command over Bluetooth Low Energy (BLE). Specifically, the device fails to properly validate the length of user-supplied data before copying it into a fixed-length stack buffer, leading to a classic stack-based buffer overflow (CWE-121). This memory corruption can be exploited by a network-adjacent attacker—meaning someone within wireless range of the device—to execute arbitrary code with the privileges of the device's software. Notably, the vulnerability requires no authentication or user interaction, significantly lowering the barrier to exploitation. The CVSS v3.0 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges required. While no public exploits have been reported, the vulnerability was assigned by the Zero Day Initiative (ZDI) as ZDI-CAN-23384 and published on August 21, 2024. The affected version is 1.32.00 of the product. The absence of a patch link suggests that a fix may not yet be publicly available, increasing urgency for mitigation. This vulnerability could allow attackers to take full control of the charger, potentially disrupting EV charging infrastructure or using the device as a foothold into broader networks.

The impact of CVE-2024-7795 is significant for organizations deploying Autel MaxiCharger AC Elite Business C50 chargers. Successful exploitation allows remote code execution without authentication, enabling attackers to compromise the device fully. This could lead to unauthorized control over charging operations, disruption of EV charging services, and potential safety risks if chargers are manipulated maliciously. Additionally, compromised chargers could serve as pivot points for lateral movement within corporate or utility networks, threatening broader infrastructure. Confidentiality is at risk as attackers may intercept or alter data; integrity is compromised through unauthorized code execution; and availability may be disrupted by device malfunction or denial-of-service conditions. Given the increasing reliance on EV infrastructure, such vulnerabilities could have cascading effects on transportation and energy sectors. The lack of known exploits currently provides a limited window for proactive defense, but the ease of exploitation and high privileges gained make this a critical concern.

To mitigate CVE-2024-7795, organizations should first monitor Autel's official channels for patches or firmware updates addressing this vulnerability and apply them promptly once available. Until a patch is released, network segmentation should be enforced to isolate EV chargers from critical internal networks, limiting attacker lateral movement. Disable or restrict BLE connectivity where possible, or implement strong BLE access controls and monitoring to detect anomalous command usage. Employ intrusion detection systems (IDS) capable of monitoring BLE traffic for suspicious patterns. Regularly audit and inventory all EV charging devices to ensure affected versions are identified and tracked. Consider deploying endpoint protection solutions that can detect abnormal behavior on the device or network. Additionally, coordinate with EV infrastructure providers and stakeholders to share threat intelligence and best practices. Finally, establish incident response plans specifically addressing potential compromises of EV charging equipment.