CVE-2024-7391 is an information disclosure vulnerability identified in the ChargePoint Home Flex electric vehicle charging station, specifically in version 5.5.3.13. The vulnerability arises from the device's Wi-Fi setup logic, which uses Bluetooth Low Energy (BLE) communication. During the setup process, an attacker who is network-adjacent—meaning within BLE range—can connect to the device and extract sensitive Wi-Fi credentials. This flaw is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. Exploitation requires user interaction, such as initiating or being involved in the setup process, and the attacker must be physically near the device to leverage BLE connectivity. The disclosed Wi-Fi credentials could allow the attacker to gain unauthorized access to the victim’s Wi-Fi network, potentially enabling further attacks on other devices connected to that network. The CVSS v3.0 base score is 2.6, reflecting low severity due to the requirement for user interaction, high attack complexity, and limited impact confined to confidentiality. No integrity or availability impacts are noted. No patches or known exploits have been reported at the time of publication, but the vulnerability was tracked by the Zero Day Initiative as ZDI-CAN-21454. This vulnerability highlights risks in IoT device setup procedures that expose sensitive network information over short-range wireless protocols.

The primary impact of CVE-2024-7391 is the potential exposure of Wi-Fi credentials, which compromises the confidentiality of the victim’s network. If an attacker obtains these credentials, they could gain unauthorized access to the Wi-Fi network, potentially leading to lateral movement within the network, data interception, or launching further attacks against other connected devices. However, the requirement for user interaction and physical proximity reduces the likelihood of widespread exploitation. The vulnerability does not affect device integrity or availability, so direct disruption of charging services is unlikely. Organizations deploying ChargePoint Home Flex devices, especially in residential or semi-public environments, face increased risk of network intrusion if attackers can physically approach devices during setup. The exposure could be particularly impactful in environments where Wi-Fi networks are trusted for sensitive operations or where network segmentation is weak. Overall, the threat is moderate but should not be ignored given the growing adoption of EV charging infrastructure and IoT devices in critical environments.

1. Limit physical access to ChargePoint Home Flex devices during the Wi-Fi setup process to trusted personnel only, preventing unauthorized BLE connections. 2. Conduct the Wi-Fi setup in secure environments where attackers cannot be in close proximity. 3. Segment IoT and EV charging devices on separate VLANs or isolated networks to contain potential breaches and prevent lateral movement if Wi-Fi credentials are compromised. 4. Disable Bluetooth Low Energy connectivity on the device after setup is complete, if supported, to reduce attack surface. 5. Monitor network traffic for unusual connections or unauthorized devices joining the Wi-Fi network. 6. Stay informed about vendor updates or patches addressing this vulnerability and apply them promptly once available. 7. Educate users about the risks of setting up devices in unsecured or public areas and the importance of controlling physical access during setup. 8. Consider using strong Wi-Fi authentication methods and regularly rotating Wi-Fi credentials to limit exposure duration.