CVE-2023-30399

An attacker on the network path can intercept the firmware update address displayed on the settings page and replace it with a link to a malicious update package. The device does not authenticate the update request, so the attacker can then trigger a firmware update that deploys a crafted Tomcat WAR file (e.g., a backdoor `serialweb.war`), achieving remote code execution with device management privileges [ref_id=1].

The vulnerable interface is the firmware update page at `/serialweb/#settings` on port 8080. The update mechanism downloads a `.tgz` package (e.g., `chargebox_189.tgz`) and processes its contents, including `serialweb.war` and `SerialService.jar`, without verifying the integrity or authenticity of the package [ref_id=1].

The advisory does not provide a patch diff or fixed version number beyond stating that versions "before v189" are vulnerable [ref_id=1]. The recommended remediation is to enforce authentication on the firmware update API and to verify the integrity and authenticity of update packages (e.g., via cryptographic signing) to prevent man-in-the-middle substitution of malicious payloads [ref_id=1].