Cyber Resilience

CVE-2024-23920

High

Published: 31 January 2025

Published
31 January 2025
Modified
01 July 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 26.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23920 is a high-severity Improper Access Control (CWE-284) vulnerability in Chargepoint Home Flex Nema 14-50 Plug Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-23920 is a high-severity vulnerability (CVSS 3.1 score of 8.8) affecting ChargePoint Home Flex charging stations. The flaw resides in the onboardee module, stemming from improper access control (CWE-284). It enables network-adjacent attackers to execute arbitrary code in the context of root without requiring authentication.

Attackers positioned on the adjacent network (AV:A) can exploit this with low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), achieving high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) in an unchanged scope (S:U). Successful exploitation grants root-level code execution on the targeted charging station.

Details on the vulnerability are documented in the Zero Day Initiative advisory ZDI-24-1048.

EU & UK References

Vulnerability details

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the onboardee module. The issue results from improper access…

more

control. An attacker can leverage this vulnerability to execute code in the context of root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Vulnerability provides unauthenticated remote code execution as root over the adjacent network, directly enabling exploitation of a remote service on the charging station.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-23968Same product: Chargepoint Home Flex Hardwired
CVE-2024-23921Same product: Chargepoint Home Flex Hardwired
CVE-2024-23971Same product: Chargepoint Home Flex Hardwired
CVE-2024-23969Same product: Chargepoint Home Flex Hardwired
CVE-2026-0386Shared CWE-284
CVE-2025-1260Shared CWE-284
CVE-2026-32769Shared CWE-284
CVE-2025-55895Shared CWE-284
CVE-2026-32737Shared CWE-284
CVE-2026-21262Shared CWE-284

Affected Assets

chargepoint
home flex nema 14-50 plug firmware
all versions
chargepoint
home flex hardwired firmware
all versions
chargepoint
home flex nema 6-50 plug firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for all access to the onboardee module, directly preventing unauthorized network-adjacent code execution as root.

prevent

Limits and explicitly approves actions permitted without identification or authentication, addressing the lack of required authentication for exploitation of the onboardee module.

prevent

Enforces least privilege on processes in the onboardee module to prevent arbitrary code execution in the context of root even if initial access is gained.

References