A command injection vulnerability in the ChargePoint Home Flex revssh service allows for remote code execution, posing a high security risk.

The revssh service on the ChargePoint Home Flex device is susceptible to command injection, which can be exploited to achieve remote code execution.

With a CVSS score of 7.5, this vulnerability presents a high risk. Successful exploitation allows an attacker to execute arbitrary commands on the charging station, potentially leading to unauthorized control of the device or lateral movement into the local network.

Immediate Action: Immediately apply security patches for internet-facing systems as provided by ChargePoint.

Proactive Monitoring: Monitor network traffic to and from the charging station for suspicious SSH-related activity or unauthorized command execution.

Compensating Controls: Restrict access to the charging station’s management interfaces and ensure it is isolated from the main corporate network where possible.

Public Exploit Available: False

Given the potential for remote code execution, it is imperative to apply security updates provided by the vendor immediately. Ensure that all internet-exposed devices are properly secured and monitored.