プラットフォーム
linux
コンポーネント
chargepoint-home-flex
修正版
5.5.5
CVE-2026-4157 is a critical Remote Code Execution (RCE) vulnerability affecting ChargePoint Home Flex devices running versions 5.5.4.13 through 5.5.4.13. This flaw allows a network-adjacent attacker to execute arbitrary code without authentication, potentially leading to complete system compromise. The vulnerability stems from insufficient input validation within the OCPP message handling process, and a fix is available from ChargePoint.
The impact of CVE-2026-4157 is severe due to the ease of exploitation and the potential for complete system takeover. An attacker can leverage this vulnerability to execute arbitrary code in the context of root on the ChargePoint Home Flex device. This could allow them to steal sensitive data, modify device settings, disrupt charging operations, or even use the compromised device as a pivot point to attack other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of attackers.
CVE-2026-4157 was disclosed on 2026-04-11. The vulnerability was reported to ChargePoint as ZDI-CAN-26338. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's ease of exploitation suggests a high probability of exploitation if a POC is released. The vulnerability is not currently listed on CISA KEV, but its severity warrants monitoring.
Organizations and individuals utilizing ChargePoint Home Flex devices, particularly those deployed in environments with limited network segmentation or exposed to untrusted networks, are at significant risk. Shared hosting environments where multiple users share a single ChargePoint Home Flex device are also particularly vulnerable.
• linux / server:
journalctl -u chargepoint-home-flex -f | grep -i "ocpp"• linux / server:
ps aux | grep chargepoint-home-flex• linux / server:
lsof -i :6443 # OCPP default portdisclosure
エクスプロイト状況
EPSS
0.25% (48% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-4157 is to upgrade ChargePoint Home Flex devices to a patched version as soon as it becomes available from ChargePoint. Until the upgrade is possible, consider segmenting the network to limit the attacker's potential reach if the device is compromised. Network firewalls should be configured to restrict external access to the device's OCPP port. Monitor network traffic for suspicious OCPP messages, particularly those containing unusual or unexpected characters. While a direct WAF rule is unlikely, a proxy can be configured to inspect OCPP traffic for command injection patterns.
Actualice el dispositivo ChargePoint Home Flex a una versión corregida. Consulte la documentación del fabricante o su sitio web para obtener instrucciones específicas sobre cómo actualizar el firmware del dispositivo.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-4157 is a Remote Code Execution vulnerability in ChargePoint Home Flex devices, allowing attackers to execute code without authentication.
You are affected if you are using ChargePoint Home Flex versions 5.5.4.13–5.5.4.13. Upgrade to a patched version as soon as possible.
Upgrade your ChargePoint Home Flex device to a patched version released by ChargePoint. Monitor ChargePoint's security advisories for updates.
While no active exploitation has been publicly confirmed, the vulnerability's ease of exploitation suggests a high probability of exploitation if a POC is released.
Refer to ChargePoint's security advisories page for the latest information and updates regarding CVE-2026-4157.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。