Skip to main content

CVE-2025-54564: n/a

High
VulnerabilityCVE-2025-54564cvecve-2025-54564
Published: Fri Aug 01 2025 (08/01/2025, 00:00:00 UTC)
Source: CVE Database V5

Description

uploadsm in ChargePoint Home Flex 5.5.4.13 does not validate a user-controlled string for bz2 decompression, which allows command execution as the nobody user.

AI-Powered Analysis

AILast updated: 08/01/2025, 18:33:44 UTC

Technical Analysis

CVE-2025-54564 is a vulnerability identified in the ChargePoint Home Flex electric vehicle (EV) charging station firmware version 5.5.4.13. The issue arises from improper validation of a user-controlled string during bz2 decompression in the 'uploadsm' component. Specifically, the vulnerability allows an attacker to supply a crafted bz2 compressed payload that is not properly sanitized or validated before decompression. This flaw enables command execution under the privileges of the 'nobody' user on the device. The 'nobody' user is a low-privilege account typically used to limit the impact of exploits, but command execution at this level still allows attackers to execute arbitrary commands, potentially leading to further privilege escalation or lateral movement within a network. The vulnerability does not require authentication or user interaction, making it exploitable remotely if the uploadsm service is exposed or accessible. No CVSS score has been assigned yet, and no known exploits in the wild have been reported as of the publication date. The lack of patch links indicates that a fix may not yet be publicly available, increasing the urgency for affected organizations to monitor for updates or implement compensating controls. Given the nature of the device—a home EV charger—this vulnerability could be leveraged to disrupt charging services, compromise device integrity, or use the device as a foothold into home or corporate networks.

Potential Impact

For European organizations, the impact of this vulnerability can be significant, especially for those relying on ChargePoint Home Flex chargers in corporate or residential settings. Successful exploitation could lead to unauthorized command execution on the device, potentially allowing attackers to disrupt EV charging operations, which may affect fleet management, employee vehicle charging, or residential EV usage. Moreover, compromised devices could serve as entry points into internal networks, risking broader network compromise, data breaches, or lateral movement to more critical infrastructure. Given the increasing adoption of EVs and associated charging infrastructure across Europe, disruption or compromise of these devices could impact operational continuity and damage organizational reputation. Additionally, attackers could leverage compromised chargers to launch attacks on other connected systems, amplifying the threat. The fact that exploitation does not require authentication or user interaction increases the risk profile, especially if these devices are accessible from less secure network segments or exposed to the internet.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should first identify all ChargePoint Home Flex 5.5.4.13 devices within their environment. Until an official patch is released, organizations should restrict network access to these devices, ensuring they are not exposed to untrusted networks or the internet. Implement network segmentation to isolate EV charging infrastructure from critical business networks. Monitoring network traffic for unusual bz2 decompression requests or anomalous uploadsm activity can help detect exploitation attempts. Employ strict access controls and disable any unnecessary services on the devices. Organizations should also engage with ChargePoint support or vendors to obtain information on patches or firmware updates addressing this vulnerability. Additionally, consider deploying host-based intrusion detection systems (HIDS) on networks hosting these devices to detect suspicious command execution patterns. Finally, educate relevant personnel on the risks associated with EV charging infrastructure and incorporate these devices into regular vulnerability management and incident response plans.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-07-25T00:00:00.000Z
Cvss Version
null
State
PUBLISHED

Threat ID: 688d04c8ad5a09ad00cb1876

Added to database: 8/1/2025, 6:17:44 PM

Last enriched: 8/1/2025, 6:33:44 PM

Last updated: 8/27/2025, 11:13:53 AM

Views: 20

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats