Product Overview
Product Name: EVerest (everest-core)
Product Type: Open-source EV charging (EVSE) software framework
Usage: Deployed in electric vehicle charging stations to manage communication, charging workflows, and power delivery
Affected Scope: EVSE systems running vulnerable versions of everest-core prior to the fixed release
The vulnerabilities described below affect how EVerest handles session management and message deserialization during ISO 15118 DC charging communication. Under specific conditions, these flaws may lead to service crashes and complete EVSE shutdown, causing charging disruptions.
Vulnerability Summary Table
| CVE Title | CVE ID | CVSS Score | Severity | Exploitability | Exploit / PoC Availability |
|---|---|---|---|---|---|
| Improper session lifecycle handling leading to Null Pointer Dereference | CVE-2025-68136 | 7.4 | High | Adjacent network, low complexity, no authentication required | No public PoC released (theoretical exploitation only) |
| Out-of-Bounds access during DC message parsing causing module crash | CVE-2025-68141 | 7.4 | High | Adjacent network, low complexity, no authentication required | No public PoC released (theoretical exploitation only) |
CVE-2025-68136 – Inadequate Session Handling Leading to Service Termination
Vulnerability Description
A flaw was identified in the way EVerest manages network sessions during Service Discovery Protocol (SDP) handling. When repeated SDP requests were received, new session objects and TCP connections were created without correctly closing or maintaining previously allocated sessions.
As a result, system resources such as file descriptors and memory objects could accumulate over time. Under certain execution paths, internal pointers referencing session objects were left unset, leading to a null pointer dereference. When triggered, the affected module crashed, and in many deployments the crash propagated, terminating the entire EVerest process.
This condition resulted in a denial of service where all charging operations managed by the instance were halted.
How Exploitation Could Occur
Exploitation could be achieved by an attacker with access to the same network segment as the EVSE. By repeatedly initiating SDP requests or manipulating the connection lifecycle, system resources could be intentionally exhausted.
In some execution paths, session cleanup logic failed, allowing a null pointer dereference to be triggered during internal session handling. The attack did not require authentication, elevated privileges, or advanced techniques.
This vulnerability did not allow remote code execution or data manipulation. The impact was limited to service disruption and EVSE unavailability.
Impact
- Unexpected termination of EVerest modules
- Full EVSE shutdown in multi-module deployments
- Interruption of active and future charging sessions
- Operational downtime and potential customer impact
MITRE Classification
- CWE-770 – Allocation of Resources Without Limits or Throttling
- ATT&CK Impact Technique: Endpoint Denial of Service
Detection and Monitoring Guidance
Detection was possible by monitoring both application-level and host-level indicators:
Application Indicators
- Repeated creation of SDP sessions in logs
- Error messages related to session lifecycle or connection cleanup
- Sudden termination of EVerest modules without graceful shutdown
Host Indicators
- Rapid increase in open file descriptors for the EVerest process
- Elevated memory usage without release
- Repeated process crashes or restarts
Network Indicators
- High frequency of SDP or ISO 15118 connection attempts from the same source
- Unusual patterns of short-lived TCP sessions targeting EVSE services
CVE-2025-68141 – Out-of-Bounds Access During DC Charge Message Deserialization
Vulnerability Description
A second vulnerability was identified in the deserialization logic of DC_ChargeLoopRes messages when Receipt and TaxCost fields were processed. During parsing, a vector holding tax cost details was accessed without proper bounds checking.
When malformed or unexpected message structures were encountered, the code attempted to access memory outside the allocated vector range. This resulted in a null pointer dereference and immediate termination of the affected module.
Because message parsing occurred during active DC charging communication, a crash at this stage caused charging sessions to be aborted and EVSE services to stop.
How Exploitation Could Occur
An attacker with adjacent network access could send a specially crafted DC charging response message containing inconsistent or malformed tax cost data.
Once the message was processed by the vulnerable deserialization logic, an out-of-bounds read occurred, leading to a null pointer dereference. The result was a controlled crash of the charging module.
This technique required knowledge of ISO 15118 message structures but did not require authentication or elevated permissions. The exploit impact was limited to denial of service.
Impact
- Crash of DC charging module
- Forced termination of EVerest process
- Global EVSE shutdown
- Disruption of ongoing charging sessions
MITRE Classification
- CWE-476 – NULL Pointer Dereference
- ATT&CK Impact Techniques: Endpoint Denial of Service / Service Stop
Detection and Monitoring Guidance
Application-Level Detection
- Errors related to
DC_ChargeLoopResparsing - Exceptions mentioning receipt or tax cost handling
- Unhandled null pointer exceptions
Network-Level Detection
- DC charging messages with abnormal field lengths
- Unexpected combinations of Receipt and TaxCost elements
- Repeated malformed DC responses from a single source
Operational Indicators
- EVSE stops responding during DC charging
- Charging sessions fail immediately after message exchange
- Automatic service restarts following crash events
Exploit / Proof of Concept Status
No publicly released proof-of-concept code or exploit tools were disclosed at the time of vulnerability resolution. Exploitation scenarios described above are theoretical and provided strictly for defensive and educational purposes.
Remediation and Mitigation
Permanent Fix
The issues were fully resolved by correcting session lifecycle management and adding proper bounds checking in message parsing logic. All affected deployments should be upgraded immediately.
Official patch / upgrade link:
https://github.com/EVerest/everest-core/releases/tag/2025.10.0
Temporary Mitigations (If Upgrade Is Delayed)
- Restrict EVSE communication interfaces to trusted network segments
- Apply network-level filtering to limit ISO 15118 message sources
- Enable verbose logging for session creation and message parsing
- Monitor for abnormal resource consumption and crash events
Final Takeaway
Both vulnerabilities were availability-focused and did not expose sensitive data or allow code execution. However, due to the critical nature of EV charging infrastructure, service disruption risks should be treated with high priority.
Applying the official upgrade fully mitigates both CVE-2025-68136 and CVE-2025-68141.
