Description
EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current one, thereby updating the current context with illegitimate data.cThanks to the modular design of EVerest, authorization is handled in a separate module and EVSEManager Charger internal state machine cannot transition out of the `WaitingForAuthentication` state through ISO 15118-2 communication. From this state, it was however possible through ISO 15118-2 messages which are published to the MQTT server to trick it into preparing to charge, and even to prepare to send current. The final requirement to actually send current to the EV was the closure of the contactors, which does not appear to be possible without leaving the `WaitingForAuthentication` state and leveraging ISO 15118-2 messages. As of time of publication, no fixed versions are available.
Published: 2026-01-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized state transition enabling unauthenticated charging requests
Action: Assess Impact
AI Analysis

Impact

EVerest core versions up to and including 2025.12.1 allow a bypass of sequence state verification, including authentication checks, which means an attacker can send ISO 15118‑2 messages that transition the EVSE Manager to forbidden states. The vulnerability permits the internal context to be updated with illegitimate data, potentially allowing a vehicle to be charged without proper authentication or authorization.

Affected Systems

The issue affects the EVerest:everest‑core component, specifically any installations using versions 2025.12.1 or earlier. No published patch exists at the time of release; users should ensure their deployments do not run these versions.

Risk and Exploitability

The CVSS v3.1 score is 4.3, indicating moderate severity, and the EPSS score is less than 1 %, showing a very low historical exploitation probability. It is not currently listed in the CISA KEV catalog. Exploitation would require an attacker to craft ISO 15118‑2 messages that are published to the system’s MQTT broker; with those messages, the EVSE can be tricked into a charging state that would normally be unreachable in the ‘WaitingForAuthentication’ state. Given the lack of a patch, the risk remains primarily to users running vulnerable versions.

Generated by OpenCVE AI on April 18, 2026 at 14:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the EVerest core module to a version newer than 2025.12.1 once a corrective release is available.
  • Secure the MQTT broker by enabling TLS, configuring client authentication, and applying topic‑level access controls so that only authenticated and authorized clients can publish ISO 15118‑2 messages to the EVSE Manager.
  • Segment the network or apply firewall rules to isolate the EVSE Manager from untrusted MQTT traffic, ensuring that only trusted local services can communicate with it, and monitor broker logs for suspicious message patterns.

Generated by OpenCVE AI on April 18, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation everest
CPEs cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation everest

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Everest
Everest everest-core
Vendors & Products Everest
Everest everest-core

Mon, 26 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current one, thereby updating the current context with illegitimate data.cThanks to the modular design of EVerest, authorization is handled in a separate module and EVSEManager Charger internal state machine cannot transition out of the `WaitingForAuthentication` state through ISO 15118-2 communication. From this state, it was however possible through ISO 15118-2 messages which are published to the MQTT server to trick it into preparing to charge, and even to prepare to send current. The final requirement to actually send current to the EV was the closure of the contactors, which does not appear to be possible without leaving the `WaitingForAuthentication` state and leveraging ISO 15118-2 messages. As of time of publication, no fixed versions are available.
Title EvseV2G has sequence state validation bypass
Weaknesses CWE-287
CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Everest Everest-core
Linuxfoundation Everest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T21:37:27.245Z

Reserved: 2026-01-19T18:49:20.659Z

Link: CVE-2026-24003

cve-icon Vulnrichment

Updated: 2026-01-27T21:37:23.744Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-26T22:15:56.513

Modified: 2026-02-17T20:48:01.273

Link: CVE-2026-24003

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses