Severity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26338.
AnalysisAI
Remote code execution via command injection in ChargePoint Home Flex electric vehicle charging stations allows unauthenticated network-adjacent attackers to execute arbitrary commands as root. The vulnerability resides in the revssh service's handling of OCPP (Open Charge Point Protocol) messages, where unsanitized user-supplied strings are passed directly to system calls. No authentication is required, but the attacker must be on the same network segment as the charging device. No public exploit identified at time of analysis.
Technical ContextAI
CWE-78 OS command injection in revssh service. OCPP message parameters lack input validation before being interpolated into system call execution contexts. Network-adjacent attack vector (CVSS AV:A) requires local network access but bypasses authentication barriers. High attack complexity (AC:H) suggests exploitation requires specific timing or environmental conditions.
RemediationAI
No vendor-released patch identified at time of analysis. Organizations should immediately implement network segmentation to isolate affected ChargePoint Home Flex devices on dedicated VLAN segments with strict firewall rules preventing lateral movement. Disable external OCPP connectivity if not operationally required. Monitor device logs for anomalous revssh service activity or unexpected system call patterns. Restrict network-adjacent access through 802.1X authentication or MAC address filtering on charging station network segments. Consult vendor advisory and contact ChargePoint support for firmware update availability and deployment timeline. Full technical details available at https://www.zerodayinitiative.com/advisories/ZDI-26-197/ and through ChargePoint's security response channels.
Hardcoded cryptographic seed disclosure in ChargePoint Home Flex charging stations enables unauthenticated remote attack
Stack-based buffer overflow in ChargePoint Home Flex electric vehicle chargers enables network-adjacent attackers to exe
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21643