CVE-2024-23921
Published: 31 January 2025
Description
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the wlanapp module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.
Security Summary
CVE-2024-23921 is a command injection vulnerability (CWE-94) affecting ChargePoint Home Flex charging stations. The flaw resides in the wlanapp module, where a user-supplied string is not properly validated before being used in a system call. This allows network-adjacent attackers to execute arbitrary code in the context of root without requiring authentication. The vulnerability was published on 2025-01-31 and carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Network-adjacent attackers, positioned on the same local network as the charging station, can exploit this issue with low complexity and no privileges or user interaction needed. By crafting a malicious string that triggers the flawed system call, an attacker gains remote code execution as root, enabling full control over the device, including potential data exfiltration, modification of configurations, or disruption of charging operations.
The Zero Day Initiative advisory ZDI-24-1049 provides details on the vulnerability. No specific patch or mitigation details are outlined in the available information.
Details
- CWE(s)