CVE-2025-54564: n/a
uploadsm in ChargePoint Home Flex 5.5.4.13 does not validate a user-controlled string for bz2 decompression, which allows command execution as the nobody user.
AI Analysis
Technical Summary
CVE-2025-54564 is a vulnerability identified in the ChargePoint Home Flex electric vehicle (EV) charging station firmware version 5.5.4.13. The issue arises from improper validation of a user-controlled string during bz2 decompression in the 'uploadsm' component. Specifically, the vulnerability allows an attacker to supply a crafted bz2 compressed payload that is not properly sanitized or validated before decompression. This flaw enables command execution under the privileges of the 'nobody' user on the device. The 'nobody' user is a low-privilege account typically used to limit the impact of exploits, but command execution at this level still allows attackers to execute arbitrary commands, potentially leading to further privilege escalation or lateral movement within a network. The vulnerability does not require authentication or user interaction, making it exploitable remotely if the uploadsm service is exposed or accessible. No CVSS score has been assigned yet, and no known exploits in the wild have been reported as of the publication date. The lack of patch links indicates that a fix may not yet be publicly available, increasing the urgency for affected organizations to monitor for updates or implement compensating controls. Given the nature of the device—a home EV charger—this vulnerability could be leveraged to disrupt charging services, compromise device integrity, or use the device as a foothold into home or corporate networks.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for those relying on ChargePoint Home Flex chargers in corporate or residential settings. Successful exploitation could lead to unauthorized command execution on the device, potentially allowing attackers to disrupt EV charging operations, which may affect fleet management, employee vehicle charging, or residential EV usage. Moreover, compromised devices could serve as entry points into internal networks, risking broader network compromise, data breaches, or lateral movement to more critical infrastructure. Given the increasing adoption of EVs and associated charging infrastructure across Europe, disruption or compromise of these devices could impact operational continuity and damage organizational reputation. Additionally, attackers could leverage compromised chargers to launch attacks on other connected systems, amplifying the threat. The fact that exploitation does not require authentication or user interaction increases the risk profile, especially if these devices are accessible from less secure network segments or exposed to the internet.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should first identify all ChargePoint Home Flex 5.5.4.13 devices within their environment. Until an official patch is released, organizations should restrict network access to these devices, ensuring they are not exposed to untrusted networks or the internet. Implement network segmentation to isolate EV charging infrastructure from critical business networks. Monitoring network traffic for unusual bz2 decompression requests or anomalous uploadsm activity can help detect exploitation attempts. Employ strict access controls and disable any unnecessary services on the devices. Organizations should also engage with ChargePoint support or vendors to obtain information on patches or firmware updates addressing this vulnerability. Additionally, consider deploying host-based intrusion detection systems (HIDS) on networks hosting these devices to detect suspicious command execution patterns. Finally, educate relevant personnel on the risks associated with EV charging infrastructure and incorporate these devices into regular vulnerability management and incident response plans.
Affected Countries
Germany, France, United Kingdom, Netherlands, Norway, Sweden, Belgium
CVE-2025-54564: n/a
Description
uploadsm in ChargePoint Home Flex 5.5.4.13 does not validate a user-controlled string for bz2 decompression, which allows command execution as the nobody user.
AI-Powered Analysis
Technical Analysis
CVE-2025-54564 is a vulnerability identified in the ChargePoint Home Flex electric vehicle (EV) charging station firmware version 5.5.4.13. The issue arises from improper validation of a user-controlled string during bz2 decompression in the 'uploadsm' component. Specifically, the vulnerability allows an attacker to supply a crafted bz2 compressed payload that is not properly sanitized or validated before decompression. This flaw enables command execution under the privileges of the 'nobody' user on the device. The 'nobody' user is a low-privilege account typically used to limit the impact of exploits, but command execution at this level still allows attackers to execute arbitrary commands, potentially leading to further privilege escalation or lateral movement within a network. The vulnerability does not require authentication or user interaction, making it exploitable remotely if the uploadsm service is exposed or accessible. No CVSS score has been assigned yet, and no known exploits in the wild have been reported as of the publication date. The lack of patch links indicates that a fix may not yet be publicly available, increasing the urgency for affected organizations to monitor for updates or implement compensating controls. Given the nature of the device—a home EV charger—this vulnerability could be leveraged to disrupt charging services, compromise device integrity, or use the device as a foothold into home or corporate networks.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for those relying on ChargePoint Home Flex chargers in corporate or residential settings. Successful exploitation could lead to unauthorized command execution on the device, potentially allowing attackers to disrupt EV charging operations, which may affect fleet management, employee vehicle charging, or residential EV usage. Moreover, compromised devices could serve as entry points into internal networks, risking broader network compromise, data breaches, or lateral movement to more critical infrastructure. Given the increasing adoption of EVs and associated charging infrastructure across Europe, disruption or compromise of these devices could impact operational continuity and damage organizational reputation. Additionally, attackers could leverage compromised chargers to launch attacks on other connected systems, amplifying the threat. The fact that exploitation does not require authentication or user interaction increases the risk profile, especially if these devices are accessible from less secure network segments or exposed to the internet.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should first identify all ChargePoint Home Flex 5.5.4.13 devices within their environment. Until an official patch is released, organizations should restrict network access to these devices, ensuring they are not exposed to untrusted networks or the internet. Implement network segmentation to isolate EV charging infrastructure from critical business networks. Monitoring network traffic for unusual bz2 decompression requests or anomalous uploadsm activity can help detect exploitation attempts. Employ strict access controls and disable any unnecessary services on the devices. Organizations should also engage with ChargePoint support or vendors to obtain information on patches or firmware updates addressing this vulnerability. Additionally, consider deploying host-based intrusion detection systems (HIDS) on networks hosting these devices to detect suspicious command execution patterns. Finally, educate relevant personnel on the risks associated with EV charging infrastructure and incorporate these devices into regular vulnerability management and incident response plans.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-07-25T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 688d04c8ad5a09ad00cb1876
Added to database: 8/1/2025, 6:17:44 PM
Last enriched: 8/1/2025, 6:33:44 PM
Last updated: 8/27/2025, 11:13:53 AM
Views: 20
Related Threats
CVE-2025-9441: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in iatspaymentsdev iATS Online Forms
MediumCVE-2025-9374: CWE-352 Cross-Site Request Forgery (CSRF) in briancolinger Ultimate Tag Warrior Importer
MediumCVE-2025-8619: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in garbowza OSM Map Widget for Elementor
MediumCVE-2025-8290: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in weblineindia List Subpages
MediumCVE-2025-8147: CWE-285 Improper Authorization in aurelienlws LWSCache
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.