EVerest EV Charging Software Denial-of-Service Vulnerability via Assert Function Error Handling
Vulnerability
A denial-of-service vulnerability has been identified in EVerest, an EV charging software stack, in versions prior to 2025.10.0. The issue arises from the improper use of the assert function for error handling, which frequently leads to module crashes. This is particularly problematic because when any module terminates, the manager shuts down all other modules and exits, causing a widespread service disruption. In scenarios where the manager oversees multiple Electric Vehicle Supply Equipment (EVSE) units, this issue would also affect other users.
Impact
Exploiting this vulnerability causes the affected module to crash, leading the manager to terminate all modules and exit. This creates a denial-of-service condition for all EVSE under the manager's control.
Reproduction
The vulnerability can be reproduced by sending a 'ChargeLoop' request message with none of the control modes marked as used. This will trigger the assert statement, causing the module to crash.
Remediation
Users can upgrade to EVerest version 2025.10.0 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.