CVE-2025-54564 is a vulnerability identified in the ChargePoint Home Flex electric vehicle (EV) charging station firmware version 5.5.4.13. The issue arises from improper validation of a user-controlled string during bz2 decompression in the 'uploadsm' component. Specifically, the vulnerability allows an attacker to supply a crafted bz2 compressed payload that is not properly sanitized or validated before decompression. This flaw enables command execution under the privileges of the 'nobody' user on the device. The 'nobody' user is a low-privilege account typically used to limit the impact of exploits, but command execution at this level still allows attackers to execute arbitrary commands, potentially leading to further privilege escalation or lateral movement within a network. The vulnerability does not require authentication or user interaction, making it exploitable remotely if the uploadsm service is exposed or accessible. No CVSS score has been assigned yet, and no known exploits in the wild have been reported as of the publication date. The lack of patch links indicates that a fix may not yet be publicly available, increasing the urgency for affected organizations to monitor for updates or implement compensating controls. Given the nature of the device—a home EV charger—this vulnerability could be leveraged to disrupt charging services, compromise device integrity, or use the device as a foothold into home or corporate networks.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on ChargePoint Home Flex chargers in corporate or residential settings. Successful exploitation could lead to unauthorized command execution on the device, potentially allowing attackers to disrupt EV charging operations, which may affect fleet management, employee vehicle charging, or residential EV usage. Moreover, compromised devices could serve as entry points into internal networks, risking broader network compromise, data breaches, or lateral movement to more critical infrastructure. Given the increasing adoption of EVs and associated charging infrastructure across Europe, disruption or compromise of these devices could impact operational continuity and damage organizational reputation. Additionally, attackers could leverage compromised chargers to launch attacks on other connected systems, amplifying the threat. The fact that exploitation does not require authentication or user interaction increases the risk profile, especially if these devices are accessible from less secure network segments or exposed to the internet.

To mitigate this vulnerability, European organizations should first identify all ChargePoint Home Flex 5.5.4.13 devices within their environment. Until an official patch is released, organizations should restrict network access to these devices, ensuring they are not exposed to untrusted networks or the internet. Implement network segmentation to isolate EV charging infrastructure from critical business networks. Monitoring network traffic for unusual bz2 decompression requests or anomalous uploadsm activity can help detect exploitation attempts. Employ strict access controls and disable any unnecessary services on the devices. Organizations should also engage with ChargePoint support or vendors to obtain information on patches or firmware updates addressing this vulnerability. Additionally, consider deploying host-based intrusion detection systems (HIDS) on networks hosting these devices to detect suspicious command execution patterns. Finally, educate relevant personnel on the risks associated with EV charging infrastructure and incorporate these devices into regular vulnerability management and incident response plans.