CVE-2026-24003

Name of the Vulnerable Software and Affected Versions EVerest versions prior to 2025.12.1

Description EVerest is an EV charging software stack susceptible to a bypass of sequence state verification, including authentication. This allows sending requests that transition to forbidden states, potentially updating the context with illegitimate data. Specifically, the EVSEManager Charger internal state machine can be tricked into preparing to charge and even prepare to send current through ISO 15118-2 messages published to the MQTT server, while remaining in the WaitingForAuthentication state. Closing the contactors to actually send current requires leaving the WaitingForAuthentication state and leveraging ISO 15118-2 messages.

Recommendations Update to a version newer than 2025.12.1 when available.