Cyber Posture

CVE-2024-23920

High

Published: 31 January 2025

Published
31 January 2025
Modified
01 July 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 26.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23920 is a high-severity Improper Access Control (CWE-284) vulnerability in Chargepoint Home Flex Nema 14-50 Plug Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for all access to the onboardee module, directly preventing unauthorized network-adjacent code execution as root.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Limits and explicitly approves actions permitted without identification or authentication, addressing the lack of required authentication for exploitation of the onboardee module.

AC-6 Least Privilege good match
prevent

Enforces least privilege on processes in the onboardee module to prevent arbitrary code execution in the context of root even if initial access is gained.

NVD Description

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the onboardee module. The issue results from improper access…

more

control. An attacker can leverage this vulnerability to execute code in the context of root.

Deeper analysisAI

CVE-2024-23920 is a high-severity vulnerability (CVSS 3.1 score of 8.8) affecting ChargePoint Home Flex charging stations. The flaw resides in the onboardee module, stemming from improper access control (CWE-284). It enables network-adjacent attackers to execute arbitrary code in the context of root without requiring authentication.

Attackers positioned on the adjacent network (AV:A) can exploit this with low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), achieving high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) in an unchanged scope (S:U). Successful exploitation grants root-level code execution on the targeted charging station.

Details on the vulnerability are documented in the Zero Day Initiative advisory ZDI-24-1048.

Details

CWE(s)
CWE-284

Affected Products

chargepoint
home flex nema 14-50 plug firmware
all versions
chargepoint
home flex hardwired firmware
all versions
chargepoint
home flex nema 6-50 plug firmware
all versions

CVEs Like This One

CVE-2024-23969Same product: Chargepoint Home Flex Hardwired
CVE-2024-23921Same product: Chargepoint Home Flex Hardwired
CVE-2024-23968Same product: Chargepoint Home Flex Hardwired
CVE-2024-23971Same product: Chargepoint Home Flex Hardwired
CVE-2025-25950Shared CWE-284
CVE-2026-5786Shared CWE-284
CVE-2026-32768Shared CWE-284
CVE-2026-33109Shared CWE-284
CVE-2025-24968Shared CWE-284
CVE-2025-54914Shared CWE-284

References