A local attacker with low privileges can use a command injection vulnerability to gain root privileges due to improper input validation using the OCPP Remote service.