CVE-2024-7392
📋 TL;DR
This vulnerability allows attackers within Bluetooth range to cause a denial-of-service condition on ChargePoint Home Flex electric vehicle chargers by exploiting connection limits in the BLE interface. No authentication is required, affecting all users of vulnerable ChargePoint Home Flex devices. The attack prevents legitimate users from connecting to or using the charging station.
💻 Affected Systems
- ChargePoint Home Flex
📦 What is this software?
Home Flex Firmware by Chargepoint
⚠️ Risk & Real-World Impact
Worst Case
Charging station becomes completely unusable for extended periods, preventing vehicle charging and potentially stranding users who rely on scheduled charging.
Likely Case
Temporary service disruption where legitimate users cannot connect via Bluetooth until the attack stops or connections time out.
If Mitigated
Minimal impact if Bluetooth functionality is disabled or physical proximity controls prevent attackers from getting within range.
🎯 Exploit Status
Attack requires only Bluetooth Low Energy scanning and connection tools, which are widely available. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check ChargePoint firmware updates for specific version
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-24-1047/
Restart Required: Yes
Instructions:
1. Log into ChargePoint account
2. Navigate to Home Flex device settings
3. Check for firmware updates
4. Apply available updates
5. Restart charging station after update
🔧 Temporary Workarounds
Disable Bluetooth
allTurn off Bluetooth functionality on the charging station to prevent BLE-based attacks
Physical Access Control
allRestrict physical access to charging station location to prevent attackers from getting within Bluetooth range
🧯 If You Can't Patch
- Disable Bluetooth functionality via device settings or physical switch if available
- Install charging station in secure location with restricted physical access
🔍 How to Verify
Check if Vulnerable:
Check if Bluetooth is enabled and device firmware version is unpatched via ChargePoint app or web interfaceCheck Version:
Check firmware version in ChargePoint mobile app under device settingsVerify Fix Applied:
Confirm firmware version has been updated to latest version addressing CVE-2024-7392📡 Detection & Monitoring
Log Indicators:
- Multiple failed connection attempts via Bluetooth
- Unusual Bluetooth connection patterns
- Device restart events
Network Indicators:
- Excessive BLE connection requests from single source
- BLE connection floods
SIEM Query:
Not applicable - this is a Bluetooth/local attack not typically monitored by network SIEM