CVE-2024-7392 identifies a denial-of-service vulnerability in the ChargePoint Home Flex electric vehicle charging station, specifically within its Bluetooth Low Energy (BLE) connection handling. The vulnerability stems from insufficient resource pool management (CWE-410), where the device limits the number of concurrent BLE connections it can maintain. An attacker positioned within network adjacency—physically near enough to interact with the BLE interface—can exploit this by initiating multiple connection attempts, exhausting the device’s BLE connection pool. This results in a denial-of-service condition, preventing legitimate users or systems from establishing BLE connections with the charger. Notably, exploitation requires no authentication or user interaction, lowering the barrier for attackers. The vulnerability affects version 5.5.3.13 of the ChargePoint Home Flex product. The CVSS v3.0 base score is 4.3 (medium), reflecting that the attack vector is adjacent network, with low attack complexity, no privileges required, no user interaction, and impacts only availability. There are no known exploits in the wild, and no patches have been published at the time of disclosure. The vulnerability was assigned by the Zero Day Initiative (ZDI) as ZDI-CAN-21455. The flaw could disrupt EV charging operations by denying BLE-based management or monitoring connections, potentially impacting user experience and operational continuity in EV charging environments.

The primary impact of CVE-2024-7392 is a denial-of-service condition on ChargePoint Home Flex devices, which can disrupt the availability of BLE connectivity used for device management, monitoring, or user interaction. While this does not compromise confidentiality or integrity, it can prevent legitimate users or backend systems from connecting to the charger via BLE, potentially causing operational delays or failures in charging sessions. For organizations operating fleets of EV chargers or public charging stations, this could translate into customer dissatisfaction, operational inefficiencies, and reputational damage. In critical infrastructure or commercial settings relying on these chargers, availability loss could have cascading effects on EV fleet readiness or energy management. The ease of exploitation without authentication and user interaction increases the risk of opportunistic attacks, especially in densely populated or publicly accessible charging locations. However, the lack of known exploits and the medium severity score indicate a moderate risk level at present.

To mitigate CVE-2024-7392, organizations should implement the following specific measures: 1) Monitor ChargePoint vendor communications closely for firmware updates or patches addressing this vulnerability and apply them promptly once available. 2) Restrict physical and wireless access to the BLE interface of ChargePoint Home Flex devices by deploying them in controlled environments or using physical enclosures to limit attacker proximity. 3) Employ Bluetooth signal jamming or filtering technologies where feasible to reduce unauthorized BLE connection attempts in sensitive locations. 4) Network segmentation and monitoring should be used to detect anomalous BLE connection patterns indicative of exploitation attempts. 5) Consider disabling BLE connectivity if it is not essential for operations or replace it with more secure management interfaces. 6) Educate operational staff about the risks of BLE-based attacks and establish incident response procedures for suspected denial-of-service events affecting EV chargers. These targeted controls go beyond generic advice by focusing on the BLE attack vector and operational context of EV charging infrastructure.