← Back

CVE-2024-23971

nvd nist
Published: Jan 31, 2025Modified: Sep 30, 2025

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: ics-cert@hq.dhs.gov (Secondary)

Description

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.

Affected (3)

Chargepoint
3 products
Home Flex Nema 14 50 Plug Firmware
Home Flex Hardwired Firmware
Home Flex Nema 6 50 Plug Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Home Flex Nema 14 50 Plug Firmware
All versions
Running on/withPlatform Versions
Chargepoint
Home Flex Nema 14 50 Plug
All versions
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Home Flex Hardwired Firmware
All versions
Running on/withPlatform Versions
Chargepoint
Home Flex Hardwired
All versions
Configuration C
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Home Flex Nema 6 50 Plug Firmware
All versions
Running on/withPlatform Versions
Chargepoint
Home Flex Nema 6 50 Plug
All versions

Related CWEs

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (1)

Source: ics-cert@hq.dhs.gov
Third Party Advisory

Timeline

No history available yet.