CVE-2024-23969

High

Published: 31 January 2025

Published

31 January 2025

Modified

30 September 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23969 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Chargepoint Home Flex Nema 14-50 Plug Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of user-supplied data in the wlanchnllst function to prevent the buffer overflow from invalid inputs.

SI-16 Memory Protection good match

prevent

Implements memory safeguards such as stack canaries or DEP to block arbitrary code execution resulting from the out-of-bounds write.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation and patching of the specific buffer overflow flaw in the ChargePoint Home Flex wlanchnllst function.

NVD Description

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the wlanchnllst function. The issue results from the lack…

of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root.

Deeper analysisAI

CVE-2024-23969 is a buffer overflow vulnerability affecting ChargePoint Home Flex charging stations. The issue stems from a lack of proper validation of user-supplied data within the wlanchnllst function, resulting in a write past the end of an allocated buffer. This flaw, classified under CWE-787 (Out-of-bounds Write), enables arbitrary code execution and carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Network-adjacent attackers can exploit this vulnerability without authentication. By sending crafted data, they can trigger the buffer overflow and execute arbitrary code in the context of root on the affected charging station, potentially compromising the device's full control, including confidentiality, integrity, and availability.

The Zero Day Initiative advisory ZDI-24-1051 at https://www.zerodayinitiative.com/advisories/ZDI-24-1051/ provides further technical details on the vulnerability.