EVerest TbdController Denial-of-Service Vulnerability
Vulnerability
A denial-of-service vulnerability has been identified in EVerest, an EV charging software stack, prior to version 2025.10.0. The issue arises from improper handling of C++ exceptions in the TbdController loop, which is responsible for managing SDP and ISO15118-20 servers. When an unhandled exception occurs, the loop and its caller terminate silently, causing the module to become unusable and disrupting server functionality.
Impact
Exploitation of this vulnerability leads to a silent denial-of-service condition, causing the module to stop responding to SDP requests and disrupting server operations.
Reproduction
To reproduce this vulnerability, send a malformed SDP request to the module's plain or TLS server. This can be done using a crafted Python payload that sends a V2GTP message with an invalid header, which will trigger an exception in the TbdController loop. Once the exception is thrown, the module will close the server connection and fail to respond to further SDP requests, demonstrating the denial-of-service condition.
Remediation
Users can upgrade to EVerest version 2025.10.0 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.