CVE-2024-23921
Published: 31 January 2025
Summary
CVE-2024-23921 is a high-severity Code Injection (CWE-94) vulnerability in Chargepoint Home Flex Nema 14-50 Plug Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 34.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user-supplied inputs before processing, preventing command injection from unvalidated strings in the wlanapp module.
Mandates monitoring, reporting, and remediation of flaws such as the command injection vulnerability in ChargePoint Home Flex stations.
Enforces least privilege to limit damage from arbitrary code execution obtained as root via the vulnerability.
NVD Description
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the wlanapp module. The issue results from the lack…
more
of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.
Deeper analysisAI
CVE-2024-23921 is a command injection vulnerability (CWE-94) affecting ChargePoint Home Flex charging stations. The flaw resides in the wlanapp module, where a user-supplied string is not properly validated before being used in a system call. This allows network-adjacent attackers to execute arbitrary code in the context of root without requiring authentication. The vulnerability was published on 2025-01-31 and carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Network-adjacent attackers, positioned on the same local network as the charging station, can exploit this issue with low complexity and no privileges or user interaction needed. By crafting a malicious string that triggers the flawed system call, an attacker gains remote code execution as root, enabling full control over the device, including potential data exfiltration, modification of configurations, or disruption of charging operations.
The Zero Day Initiative advisory ZDI-24-1049 provides details on the vulnerability. No specific patch or mitigation details are outlined in the available information.
Details
- CWE(s)