CVE-2025-68140

Name of the Vulnerable Software and Affected Versions EVerest versions prior to 2025.9.0

Description EVerest is an EV charging software stack susceptible to a session ID validation bypass. Before version 2025.9.0, the software incorrectly handles V2G messages when no session is registered. Specifically, if no session has been registered, the session ID defaults to 0. A message submitted with a session ID of 0 is then accepted, potentially allowing unauthorized and anonymous indirect emission of MQTT messages and communication with V2G message handlers, which could lead to updates to the session context. The software checks the validity of the received V2G message and verifies if the submitted session ID matches the registered one.

Recommendations Update to version 2025.9.0 or later.