Home Flex
Monthly
Remote code execution via command injection in ChargePoint Home Flex electric vehicle charging stations allows unauthenticated network-adjacent attackers to execute arbitrary commands as root. The vulnerability resides in the revssh service's handling of OCPP (Open Charge Point Protocol) messages, where unsanitized user-supplied strings are passed directly to system calls. No authentication is required, but the attacker must be on the same network segment as the charging device. No public exploit identified at time of analysis.
Stack-based buffer overflow in ChargePoint Home Flex electric vehicle chargers enables network-adjacent attackers to execute arbitrary code as root via malformed OCPP messages. Unauthenticated exploitation allows complete device compromise through improper length validation in OCPP getpreq message handling. Attack complexity is high (CVSS AC:H), requiring local network access. No public exploit identified at time of analysis.
Hardcoded cryptographic seed disclosure in ChargePoint Home Flex charging stations enables unauthenticated remote attackers to extract stored credentials via the genpw script. The vulnerability exposes a secret seed value embedded directly in source code, allowing attackers to decrypt or regenerate passwords for further system compromise. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects unauthenticated network access with high confidentiality impact.
Remote code execution via command injection in ChargePoint Home Flex electric vehicle charging stations allows unauthenticated network-adjacent attackers to execute arbitrary commands as root. The vulnerability resides in the revssh service's handling of OCPP (Open Charge Point Protocol) messages, where unsanitized user-supplied strings are passed directly to system calls. No authentication is required, but the attacker must be on the same network segment as the charging device. No public exploit identified at time of analysis.
Stack-based buffer overflow in ChargePoint Home Flex electric vehicle chargers enables network-adjacent attackers to execute arbitrary code as root via malformed OCPP messages. Unauthenticated exploitation allows complete device compromise through improper length validation in OCPP getpreq message handling. Attack complexity is high (CVSS AC:H), requiring local network access. No public exploit identified at time of analysis.
Hardcoded cryptographic seed disclosure in ChargePoint Home Flex charging stations enables unauthenticated remote attackers to extract stored credentials via the genpw script. The vulnerability exposes a secret seed value embedded directly in source code, allowing attackers to decrypt or regenerate passwords for further system compromise. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects unauthenticated network access with high confidentiality impact.