CVE-2024-23920

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the onboardee module. The issue results from improper access control. An attacker can leverage this vulnerability to execute code in the context of root.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
icscertCNA
---
---
CISA-ADPADP
8.8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 23%
VendorProductVersion
chargepointhome_flex_nema_14-50_plug_firmware
-
chargepointhome_flex_hardwired_firmware
-
chargepointhome_flex_nema_6-50_plug_firmware
-
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.zerodayinitiative.com/advisories/ZDI-24-1048/