ZDI 2026-03-16

ZDI-26-197: (Pwn2Own) ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vulnerability

CVE-2026-4157

Machine-generated analysis · WAYSCloud LLM

Network-adjacent attackers can achieve unauthenticated remote code execution on ChargePoint Home Flex devices. This vulnerability was demonstrated during the Pwn2Own 2026 competition.

Context

The vulnerability affects the revssh service in ChargePoint Home Flex electric vehicle charging stations. The advisory describes a command injection vulnerability that allows arbitrary code execution without authentication. The vulnerability was assigned CVE-2026-4157 with a CVSS score of 7.5.

Operator considerations

Check: Inventory ChargePoint Home Flex devices on your network
Isolate: Consider network segmentation for ChargePoint devices given the network-adjacent attack vector

From Zero Day Initiative ↗

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex devices. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2026-4157.

Read the full advisory on ZDI →