Skip to main content

Home Flex CVE-2026-4157

| EUVDEUVD-2026-21643 HIGH
OS Command Injection (CWE-78)
2026-04-11 zdi
7.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 17:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 11, 2026 - 01:00 euvd
EUVD-2026-21643
Analysis Generated
Apr 11, 2026 - 01:00 vuln.today
CVE Published
Apr 11, 2026 - 00:16 nvd
HIGH 7.5

DescriptionCVE.org

ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex devices. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26338.

AnalysisAI

Remote code execution via command injection in ChargePoint Home Flex electric vehicle charging stations allows unauthenticated network-adjacent attackers to execute arbitrary commands as root. The vulnerability resides in the revssh service's handling of OCPP (Open Charge Point Protocol) messages, where unsanitized user-supplied strings are passed directly to system calls. No authentication is required, but the attacker must be on the same network segment as the charging device. No public exploit identified at time of analysis.

Technical ContextAI

CWE-78 OS command injection in revssh service. OCPP message parameters lack input validation before being interpolated into system call execution contexts. Network-adjacent attack vector (CVSS AV:A) requires local network access but bypasses authentication barriers. High attack complexity (AC:H) suggests exploitation requires specific timing or environmental conditions.

RemediationAI

No vendor-released patch identified at time of analysis. Organizations should immediately implement network segmentation to isolate affected ChargePoint Home Flex devices on dedicated VLAN segments with strict firewall rules preventing lateral movement. Disable external OCPP connectivity if not operationally required. Monitor device logs for anomalous revssh service activity or unexpected system call patterns. Restrict network-adjacent access through 802.1X authentication or MAC address filtering on charging station network segments. Consult vendor advisory and contact ChargePoint support for firmware update availability and deployment timeline. Full technical details available at https://www.zerodayinitiative.com/advisories/ZDI-26-197/ and through ChargePoint's security response channels.

Share

CVE-2026-4157 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy