Description
ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex devices. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26338.
Published: 2026-04-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

ChargePoint Home Flex chargers contain a command injection flaw in the handling of Open Charge Point Protocol (OCPP) messages. The vulnerability arises from undefined validation of a user‑supplied string that is passed to a system call. An attacker can supply crafted data and cause the device to execute arbitrary code as the root user. This results in full compromise of the affected device, allowing the attacker to read, modify, or delete data, install persistent backdoors, and potentially disrupt charging services.

Affected Systems

This vulnerability affects all ChargePoint Home Flex chargers deployed with the current firmware stack. No specific firmware versions are cited in the advisory, so any installation of a Home Flex charger is potentially exposed until a vendor‑issued fix is deployed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Authentication is not required, and the flaw can be triggered from a device on the same local network, making the likely attack vector network‑adjacent. An attacker with local network access can exploit the vulnerability without credentials, creating substantial risk for installations that are not isolated from untrusted traffic.

Generated by OpenCVE AI on April 11, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor‑issued firmware update or security patch for ChargePoint Home Flex devices as soon as it becomes available.
  • Limit network exposure by placing the chargers behind a dedicated firewall and blocking all inbound traffic except the required OCPP ports, restricting access to trusted devices.
  • Disable or restrict the revssh service if the device configuration allows it, until a patch is released.
  • Continuously monitor device logs for unusual OCPP messages or failed command executions and investigate any anomalies promptly.
  • If no patch or configuration change is available, consider temporarily removing the chargers from production operations until remediation is applied.

Generated by OpenCVE AI on April 11, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Chargepoint home Flex Cph50
Chargepoint home Flex Cph50 Firmware
CPEs cpe:2.3:h:chargepoint:home_flex_cph50:-:*:*:*:*:*:*:*
cpe:2.3:o:chargepoint:home_flex_cph50_firmware:*:*:*:*:*:*:*:*
Vendors & Products Chargepoint home Flex Cph50
Chargepoint home Flex Cph50 Firmware

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chargepoint
Chargepoint home Flex
Vendors & Products Chargepoint
Chargepoint home Flex

Sat, 11 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Description ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26338.
Title ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Chargepoint Home Flex Home Flex Cph50 Home Flex Cph50 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-04-13T17:39:00.899Z

Reserved: 2026-03-13T20:34:14.213Z

Link: CVE-2026-4157

cve-icon Vulnrichment

Updated: 2026-04-13T17:38:57.174Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-11T01:16:17.487

Modified: 2026-04-27T17:42:41.327

Link: CVE-2026-4157

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:56:54Z

Weaknesses