CVE-2026-24003

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions EVerest versions prior to 2025.12.1

Description EVerest is an EV charging software stack susceptible to a bypass of sequence state verification, including authentication. This allows sending requests that transition to forbidden states, potentially updating the context with illegitimate data. Specifically, the EVSEManager Charger internal state machine can be tricked into preparing to charge and even prepare to send current through ISO 15118-2 messages published to the MQTT server, while remaining in the WaitingForAuthentication state. Closing the contactors to actually send current requires leaving the WaitingForAuthentication state and leveraging ISO 15118-2 messages.

Recommendations Update to a version newer than 2025.12.1 when available.

Exploit

Fix

Improper Authentication

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-863

Related Identifiers

CVE-2026-24003

GHSA-9VV5-67CV-9CRQ

Affected Products

Everest

CVE-2026-24003

Weakness Enumeration

Related Identifiers

Affected Products

References · 8