The server in Circontrol Raption versions up to and including 5.11.2 has a pre-authentication stack-based buffer overflow that can be exploited to gain run-time control of the device as root. The pwrstudio web application of EV Charger (in the server in Circontrol Raption up to and including 5.6.2) is vulnerable to OS command injection.