Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the genpw script. The issue results from the inclusion of a secret cryptographic seed value within the script. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26340.
AnalysisAI
Hardcoded cryptographic seed disclosure in ChargePoint Home Flex charging stations enables unauthenticated remote attackers to extract stored credentials via the genpw script. The vulnerability exposes a secret seed value embedded directly in source code, allowing attackers to decrypt or regenerate passwords for further system compromise. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects unauthenticated network access with high confidentiality impact.
Technical ContextAI
CWE-540 violation: genpw script contains hardcoded cryptographic seed value used for credential generation/derivation. Deterministic seed enables attackers to reproduce cryptographic operations, effectively reversing password protection mechanisms. CVSS vector AV:N/AC:L/PR:N indicates remotely accessible code with no complexity barriers.
RemediationAI
No vendor-released patch identified at time of analysis. Primary mitigation requires ChargePoint to release firmware update removing hardcoded seed and implementing secure random seed generation per cryptographic best practices. Interim workarounds: (1) isolate affected charging stations on dedicated network segment with strict firewall rules blocking unauthorized remote access; (2) monitor network traffic for abnormal credential access patterns; (3) implement network-level authentication (802.1X) if supported; (4) disable remote management features until patch deployment. Consult ZDI advisory for disclosure timeline and vendor coordination status: https://www.zerodayinitiative.com/advisories/ZDI-26-195/. Organizations should contact ChargePoint support for patch availability and apply updates immediately upon release.
Remote code execution via command injection in ChargePoint Home Flex electric vehicle charging stations allows unauthent
Stack-based buffer overflow in ChargePoint Home Flex electric vehicle chargers enables network-adjacent attackers to exe
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21639
GHSA-69j2-hc78-98c7