{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4157", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-03-13T20:34:14.213Z", "datePublished": "2026-04-11T00:16:38.871Z", "dateUpdated": "2026-04-13T17:39:00.899Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:16:38.871Z"}, "title": "ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vulnerability", "descriptions": [{"lang": "en", "value": "ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26338."}], "affected": [{"vendor": "ChargePoint", "product": "Home Flex", "versions": [{"version": "5.5.4.13", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-197/", "name": "ZDI-26-197", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-13T20:34:14.246Z", "datePublic": "2026-03-16T21:29:46.801Z", "source": {"lang": "en", "value": "Viettel Cyber Security"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:38:49.371019Z", "id": "CVE-2026-4157", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:39:00.899Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4157", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-03-13T20:34:14.213Z", "datePublished": "2026-04-11T00:16:38.871Z", "dateUpdated": "2026-04-13T17:39:00.899Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:16:38.871Z"}, "title": "ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vulnerability", "descriptions": [{"lang": "en", "value": "ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26338."}], "affected": [{"vendor": "ChargePoint", "product": "Home Flex", "versions": [{"version": "5.5.4.13", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-197/", "name": "ZDI-26-197", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-13T20:34:14.246Z", "datePublic": "2026-03-16T21:29:46.801Z", "source": {"lang": "en", "value": "Viettel Cyber Security"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4157", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T17:38:49.371019Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:38:57.174Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26338."}], "id": "CVE-2026-4157", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-04-11T01:16:17.487", "references": [{"source": "zdi-disclosures@trendmicro.com", "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-197/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.5.4.13"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Home Flex", "source": "cna", "vendor": "ChargePoint"}, "product": "home_flex", "vendor": "chargepoint"}], "analysis": {"en": {"generated_at": "2026-04-11T03:20:58.046996+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor\u2011issued firmware update or security patch for ChargePoint Home Flex devices as soon as it becomes available.", "Limit network exposure by placing the chargers behind a dedicated firewall and blocking all inbound traffic except the required OCPP ports, restricting access to trusted devices.", "Disable or restrict the revssh service if the device configuration allows it, until a patch is released.", "Continuously monitor device logs for unusual OCPP messages or failed command executions and investigate any anomalies promptly.", "If no patch or configuration change is available, consider temporarily removing the chargers from production operations until remediation is applied."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "This vulnerability affects all ChargePoint Home Flex chargers deployed with the current firmware stack. No specific firmware versions are cited in the advisory, so any installation of a Home Flex charger is potentially exposed until a vendor\u2011issued fix is deployed.", "description_and_impact": "ChargePoint Home Flex chargers contain a command injection flaw in the handling of Open Charge Point Protocol (OCPP) messages. The vulnerability arises from undefined validation of a user\u2011supplied string that is passed to a system call. An attacker can supply crafted data and cause the device to execute arbitrary code as the root user. This results in full compromise of the affected device, allowing the attacker to read, modify, or delete data, install persistent backdoors, and potentially disrupt charging services.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity risk, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Authentication is not required, and the flaw can be triggered from a device on the same local network, making the likely attack vector network\u2011adjacent. An attacker with local network access can exploit the vulnerability without credentials, creating substantial risk for installations that are not isolated from untrusted traffic."}}}}, "created": "2026-04-13T12:42:09.012533+00:00", "updated": "2026-04-13T12:56:54.098394+00:00", "vendors": ["chargepoint", "chargepoint$PRODUCT$home_flex"]}