Pwn2Own ChargePoint Home Flex Bug: Unauthenticated Command Injection in EV Charger Allows Root Access
A command injection vulnerability in the revssh service of ChargePoint Home Flex EV chargers, disclosed at Pwn2Own, allows unauthenticated network-adjacent attackers to execute arbitrary code as root via a crafted OCPP message.
A critical command injection vulnerability in the ChargePoint Home Flex electric vehicle charger has been disclosed as part of the Pwn2Own hacking contest. Tracked as CVE-2026-4157 and assigned a CVSS score of 7.5, the flaw resides in the revssh service and allows unauthenticated, network-adjacent attackers to execute arbitrary code with root privileges. The vulnerability was reported by Viettel Cyber Security and publicly released on March 16, 2026, by the Zero Day Initiative (ZDI) under advisory ZDI-26-197.
The specific weakness lies in how the device handles Open Charge Point Protocol (OCPP) messages. The revssh service fails to properly validate a user-supplied string before using it to execute a system call, creating a classic command injection vector. An attacker who can send a malicious OCPP message to the charger — for example, from another device on the same Wi-Fi network — can trigger the injection and gain full remote code execution as root. No authentication is required to exploit the vulnerability.
ChargePoint Home Flex chargers are widely deployed in residential and commercial settings across North America and Europe. The Home Flex model supports both hardwired and plug-in installations and is one of the most popular Level 2 EV chargers on the market. While the attack requires network adjacency, the ubiquity of these devices means that a compromised charger could be used as a pivot point to attack other devices on the home or business network, or to manipulate charging behavior.
ChargePoint has released a fix in firmware version CPH50 5.5.4.22. Users are strongly advised to update their chargers to this version as soon as possible. The vulnerability was reported to ChargePoint on March 6, 2025, and the coordinated disclosure was completed on March 16, 2026. The one-year timeline reflects the complexity of developing and testing a firmware update for embedded devices that may not have automatic update mechanisms enabled by default.
The disclosure at Pwn2Own highlights the growing attention on security in the electric vehicle charging ecosystem. As EV adoption accelerates, charging infrastructure — often connected to home networks and the internet — presents an expanding attack surface. Previous research has uncovered vulnerabilities in other charger models, including issues with OCPP implementations, insecure firmware updates, and weak authentication. The ChargePoint Home Flex bug is a reminder that even consumer-grade charging stations must be held to rigorous security standards.
For now, the primary mitigation is to apply the firmware update. Users should also ensure their charger is not directly exposed to the internet and that the local network is segmented from other critical devices. The ZDI advisory notes that no active exploitation in the wild has been reported, but given the public disclosure and the availability of technical details, attackers may soon attempt to reverse-engineer the vulnerability.