CVE-2026-4155: ChargePoint Home Flex Charging Station Exposes Credentials via Hardcoded Crypto Seed
A high-severity information disclosure vulnerability in ChargePoint Home Flex EV chargers allows unauthenticated remote attackers to extract stored credentials by exploiting a hardcoded cryptographic seed in the device's password generation script.
A critical information disclosure vulnerability has been disclosed in ChargePoint Home Flex electric vehicle charging stations, tracked as CVE-2026-4155. Discovered by researcher Sina Kheirkhah of the Summoning Team during the Pwn2Own competition, the flaw resides in the device's `genpw` script, which contains a hardcoded cryptographic seed value. This seed, intended for password generation, is exposed in plaintext within the script, enabling unauthenticated remote attackers to derive and disclose stored credentials on affected devices.
The vulnerability affects ChargePoint Home Flex models running CPH50 firmware versions prior to 5.5.4.22. With a CVSSThe issue carries a CVSS score of 7.5 (High), with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that no authentication or user interaction is required for exploitation. An attacker can leverage the exposed seed, an attacker can reconstruct the cryptographic keys used to protect sensitive data stored on the charging station, such as Wi-Fi credentials and account tokens. This could allow further compromise of the device or the owner's home network.
ChargePoint has released firmware version 5.5.4.22 to address the vulnerability. Users are strongly advised to update their Home Flex charging stations to the latest firmware as soon as possible. The advisory, published by the Zero Day Initiative as ZDI-26-195, notes that the vulnerability was responsibly reported to ChargePoint on March 13, 2025, and the coordinated public disclosure occurred on March 16, 2026.
The discovery at Pwn2Own highlights the growing attention on security in the electric vehicle charging infrastructure. As EV adoption accelerates, vulnerabilities in charging stations could become attractive targets for attackers seeking to disrupt energy grids or steal user data. This disclosure follows a broader trend of embedded systems in critical infrastructure being scrutinized for hardcoded secrets and weak cryptographic practices.
While no active exploitation has been reported in the wild, the public availability of technical details and the involvement of a high-profile competition like Pwn2Own increase the likelihood of attackers attempting to reverse-engineer the flaw. Owners of ChargePoint Home Flex stations should prioritize applying the firmware patch and consider segmenting their charging station on a separate network to limit potential lateral movement in case of compromise.