Critical RCE in ChargePoint Home Flex EV Charger (CVE‑2026‑4156) Exploits OCPP Stack Buffer Overflow
What It Is – A stack‑based buffer overflow in the OCPP getpreq handler of ChargePoint’s Home Flex residential EV charger allows an unauthenticated, network‑adjacent attacker to execute arbitrary code with root privileges.
Exploitability – The flaw is remotely exploitable without credentials; a proof‑of‑concept was demonstrated at the Pwn2Own competition. CVSS 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Affected Products – ChargePoint Home Flex chargers (firmware < 5.5.4.22).
TPRM Impact – Compromise of a charger can give attackers foothold on a customer’s LAN, pivot to other IoT devices, or manipulate charging data, creating supply‑chain and operational risk for organizations that rely on ChargePoint infrastructure.
Recommended Actions –
- Verify firmware version; upgrade to CPH50 5.5.4.22 or later immediately.
- Segment EV‑charging networks from critical corporate assets (VLANs, firewalls).
- Enforce strict inbound traffic filtering to the charger’s management interface.
- Monitor for anomalous OCPP traffic and unexpected process behavior on chargers.
- Include ChargePoint as a critical third‑party in your risk register and reassess contractual security clauses.