CVE-2024-23969
Published: 31 January 2025
Description
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the wlanchnllst function. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root.
Security Summary
CVE-2024-23969 is a buffer overflow vulnerability affecting ChargePoint Home Flex charging stations. The issue stems from a lack of proper validation of user-supplied data within the wlanchnllst function, resulting in a write past the end of an allocated buffer. This flaw, classified under CWE-787 (Out-of-bounds Write), enables arbitrary code execution and carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Network-adjacent attackers can exploit this vulnerability without authentication. By sending crafted data, they can trigger the buffer overflow and execute arbitrary code in the context of root on the affected charging station, potentially compromising the device's full control, including confidentiality, integrity, and availability.
The Zero Day Initiative advisory ZDI-24-1051 at https://www.zerodayinitiative.com/advisories/ZDI-24-1051/ provides further technical details on the vulnerability.
Details
- CWE(s)