CVE-2024-23968

Severity CVSS v4.0:
Pending analysis
Type:
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Publication date:
31/01/2025
Last modified:
30/06/2025

Description

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability.<br /> <br /> The specific flaw exists within the SrvrToSmSetAutoChnlListMsg function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:chargepoint:home_flex_nema_14-50_plug_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:chargepoint:home_flex_nema_14-50_plug:-:*:*:*:*:*:*:*
cpe:2.3:o:chargepoint:home_flex_hardwired_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:chargepoint:home_flex_hardwired:-:*:*:*:*:*:*:*
cpe:2.3:o:chargepoint:home_flex_nema_6-50_plug_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:chargepoint:home_flex_nema_6-50_plug:-:*:*:*:*:*:*:*


References to Advisories, Solutions, and Tools