CVE-2024-23920
Published: 31 January 2025
Summary
CVE-2024-23920 is a high-severity Improper Access Control (CWE-284) vulnerability in Chargepoint Home Flex Nema 14-50 Plug Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-23920 is a high-severity vulnerability (CVSS 3.1 score of 8.8) affecting ChargePoint Home Flex charging stations. The flaw resides in the onboardee module, stemming from improper access control (CWE-284). It enables network-adjacent attackers to execute arbitrary code in the context of root without requiring authentication.
Attackers positioned on the adjacent network (AV:A) can exploit this with low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), achieving high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) in an unchanged scope (S:U). Successful exploitation grants root-level code execution on the targeted charging station.
Details on the vulnerability are documented in the Zero Day Initiative advisory ZDI-24-1048.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-21350
Vulnerability details
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the onboardee module. The issue results from improper access…
more
control. An attacker can leverage this vulnerability to execute code in the context of root.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability provides unauthenticated remote code execution as root over the adjacent network, directly enabling exploitation of a remote service on the charging station.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for all access to the onboardee module, directly preventing unauthorized network-adjacent code execution as root.
Limits and explicitly approves actions permitted without identification or authentication, addressing the lack of required authentication for exploitation of the onboardee module.
Enforces least privilege on processes in the onboardee module to prevent arbitrary code execution in the context of root even if initial access is gained.