CVE-2024-23971 in Home Flex
Summary
by MITRE • 01/31/2025
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/01/2025
This vulnerability in ChargePoint Home Flex charging stations represents a critical remote code execution flaw that fundamentally undermines the security posture of connected electric vehicle infrastructure. The vulnerability resides in the Open Charge Point Protocol implementation, which governs communication between charging stations and central management systems. Attackers exploiting this weakness can execute arbitrary code with root privileges, effectively gaining complete control over the affected devices. The absence of authentication requirements for exploitation makes this particularly dangerous as it allows any network-adjacent attacker to compromise these systems without prior credentials or access rights.
The technical root cause stems from insufficient input validation within the OCPP message processing pipeline. When the charging station receives messages containing user-supplied strings, the system fails to properly sanitize or validate these inputs before incorporating them into system calls. This classic vulnerability pattern aligns with CWE-78, which specifically addresses improper neutralization of special elements used in OS commands. The flaw essentially allows attackers to inject malicious command sequences that are then executed with the highest privileges available to the charging station software, typically root or system-level access. This creates a complete compromise of the device's operational integrity and security boundaries.
The operational impact of this vulnerability extends beyond individual device compromise to potentially affect entire charging networks and grid infrastructure. ChargePoint Home Flex stations serve as critical nodes in electric vehicle charging ecosystems, and their compromise could enable attackers to manipulate charging sessions, extract sensitive data, or disrupt charging services. The vulnerability's remote exploitability means that attackers don't need physical access or network credentials to initiate attacks, making it particularly concerning for organizations managing large fleets of charging stations. This flaw could enable attackers to gain persistent access to charging infrastructure, potentially affecting billing systems, user data, and operational control of electric vehicle charging networks.
Organizations should immediately implement network segmentation to isolate charging infrastructure from general network access and deploy intrusion detection systems to monitor for suspicious OCPP traffic patterns. The recommended mitigations include applying firmware updates from ChargePoint as soon as they become available, implementing strict input validation controls on network traffic, and conducting comprehensive security assessments of all connected charging infrastructure. From an ATT&CK framework perspective, this vulnerability maps to techniques involving command and control through protocol manipulation and privilege escalation, requiring security teams to monitor for unusual system call patterns and unauthorized code execution attempts. Organizations should also consider implementing network access controls and monitoring for unauthorized access attempts to charging station management interfaces.