Cyber Resilience

CVE-2024-23921

High

Published: 31 January 2025

Published
31 January 2025
Modified
01 July 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 34.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23921 is a high-severity Code Injection (CWE-94) vulnerability in Chargepoint Home Flex Nema 14-50 Plug Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-23921 is a command injection vulnerability (CWE-94) affecting ChargePoint Home Flex charging stations. The flaw resides in the wlanapp module, where a user-supplied string is not properly validated before being used in a system call. This allows network-adjacent attackers to execute arbitrary code in the context of root without requiring authentication. The vulnerability was published on 2025-01-31 and carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Network-adjacent attackers, positioned on the same local network as the charging station, can exploit this issue with low complexity and no privileges or user interaction needed. By crafting a malicious string that triggers the flawed system call, an attacker gains remote code execution as root, enabling full control over the device, including potential data exfiltration, modification of configurations, or disruption of charging operations.

The Zero Day Initiative advisory ZDI-24-1049 provides details on the vulnerability. No specific patch or mitigation details are outlined in the available information.

EU & UK References

Vulnerability details

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the wlanapp module. The issue results from the lack…

more

of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in network-exposed wlanapp module directly enables unauthenticated RCE as root on adjacent network, mapping to public-facing app exploitation and Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-23971Same product: Chargepoint Home Flex Hardwired
CVE-2024-23969Same product: Chargepoint Home Flex Hardwired
CVE-2024-23920Same product: Chargepoint Home Flex Hardwired
CVE-2024-23968Same product: Chargepoint Home Flex Hardwired
CVE-2026-29955Shared CWE-94
CVE-2024-55964Shared CWE-94
CVE-2026-20045Shared CWE-94
CVE-2025-67038Shared CWE-94
CVE-2024-53944Shared CWE-94
CVE-2024-44722Shared CWE-94

Affected Assets

chargepoint
home flex nema 14-50 plug firmware
all versions
chargepoint
home flex hardwired firmware
all versions
chargepoint
home flex nema 6-50 plug firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied inputs before processing, preventing command injection from unvalidated strings in the wlanapp module.

prevent

Mandates monitoring, reporting, and remediation of flaws such as the command injection vulnerability in ChargePoint Home Flex stations.

prevent

Enforces least privilege to limit damage from arbitrary code execution obtained as root via the vulnerability.

References