Cyber Resilience

CVE-2024-23969

High

Published: 31 January 2025

Published
31 January 2025
Modified
30 September 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23969 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Chargepoint Home Flex Nema 14-50 Plug Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2024-23969 is a buffer overflow vulnerability affecting ChargePoint Home Flex charging stations. The issue stems from a lack of proper validation of user-supplied data within the wlanchnllst function, resulting in a write past the end of an allocated buffer. This flaw, classified under CWE-787 (Out-of-bounds Write), enables arbitrary code execution and carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Network-adjacent attackers can exploit this vulnerability without authentication. By sending crafted data, they can trigger the buffer overflow and execute arbitrary code in the context of root on the affected charging station, potentially compromising the device's full control, including confidentiality, integrity, and availability.

The Zero Day Initiative advisory ZDI-24-1051 at https://www.zerodayinitiative.com/advisories/ZDI-24-1051/ provides further technical details on the vulnerability.

EU & UK References

Vulnerability details

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the wlanchnllst function. The issue results from the lack…

more

of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow enables unauthenticated remote code execution on network-adjacent public-facing charging station service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-23971Same product: Chargepoint Home Flex Hardwired
CVE-2024-23921Same product: Chargepoint Home Flex Hardwired
CVE-2024-23920Same product: Chargepoint Home Flex Hardwired
CVE-2024-23968Same product: Chargepoint Home Flex Hardwired
CVE-2025-25742Shared CWE-787
CVE-2026-21897Shared CWE-787
CVE-2024-57704Shared CWE-787
CVE-2024-57579Shared CWE-787
CVE-2024-57581Shared CWE-787
CVE-2026-0114Shared CWE-787

Affected Assets

chargepoint
home flex nema 14-50 plug firmware
all versions
chargepoint
home flex hardwired firmware
all versions
chargepoint
home flex nema 6-50 plug firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied data in the wlanchnllst function to prevent the buffer overflow from invalid inputs.

prevent

Implements memory safeguards such as stack canaries or DEP to block arbitrary code execution resulting from the out-of-bounds write.

prevent

Mandates timely remediation and patching of the specific buffer overflow flaw in the ChargePoint Home Flex wlanchnllst function.

References