Critical Remote Code Execution (CVE‑2026‑4157) in ChargePoint Home Flex EV Chargers Threatens Enterprise IoT Deployments
What It Is – A command‑injection flaw in the revssh service of ChargePoint Home Flex EV charging stations (CVE‑2026‑4157) allows an unauthenticated, network‑adjacent attacker to execute arbitrary code as root. The bug stems from improper validation of OCPP messages before invoking a system call.
Exploitability – The vulnerability is publicly disclosed with a CVSS 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). No public exploit code has been released, but the attack requires only network proximity and no credentials, making it highly attractive for opportunistic actors.
Affected Products – ChargePoint Home Flex charging stations (firmware < 5.5.4.22).
TPRM Impact – EV‑charging hardware is increasingly deployed in corporate campuses, multi‑tenant properties, and municipal fleets. A compromised charger can serve as a foothold for lateral movement into internal networks, enable data exfiltration, or cause service disruption to critical infrastructure.
Recommended Actions –
- Verify firmware version on all ChargePoint Home Flex units; upgrade immediately to 5.5.4.22 or later.
- Conduct an inventory of EV‑charging assets across your supply chain and map their network zones.
- Isolate charging stations on a dedicated VLAN with strict egress filtering.
- Deploy IDS/IPS signatures that detect anomalous OCPP traffic or unexpected
revsshcommands. - Incorporate the CVE into your vulnerability‑management feed and schedule regular re‑assessment.