CVE-2024-23920

High

Published: 31 January 2025

Published

31 January 2025

Modified

01 July 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 26.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the onboardee module. The issue results from improper access control. An attacker can leverage this vulnerability to execute code in the context of root.

Security Summary

CVE-2024-23920 is a high-severity vulnerability (CVSS 3.1 score of 8.8) affecting ChargePoint Home Flex charging stations. The flaw resides in the onboardee module, stemming from improper access control (CWE-284). It enables network-adjacent attackers to execute arbitrary code in the context of root without requiring authentication.

Attackers positioned on the adjacent network (AV:A) can exploit this with low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), achieving high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) in an unchanged scope (S:U). Successful exploitation grants root-level code execution on the targeted charging station.

Details on the vulnerability are documented in the Zero Day Initiative advisory ZDI-24-1048.

Details

CWE(s): CWE-284

Affected Products

chargepoint

home flex nema 14-50 plug firmware

all versions

chargepoint

home flex hardwired firmware

all versions

chargepoint

home flex nema 6-50 plug firmware

all versions

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1048/
Third Party Advisory · ics-cert@hq.dhs.gov