EVerest EV Charging Software Connection Termination Vulnerability

A vulnerability exists in the EVerest EV charging software stack, in all versions up to and including 2025.12.1. The issue arises because the default setting for 'terminate_connection_on_failed_response' is 'False', leaving it up to the electric vehicle (EV) to manage session and connection termination. As a result, errors logged by the module do not prompt automatic countermeasures like resetting or ending sessions and connections. This oversight could be exploited by a malicious user to take advantage of other vulnerabilities or weaknesses. Although users can manually change the setting to 'true' to mitigate the issue, this adjustment is not feasible by default, as it may cause errors in vehicle electronic control units (ECUs) that require resets, leading to prolonged charging disruptions. Consequently, the maintainers have decided to keep the default setting unchanged.

Impact

The vulnerability could be exploited by a malicious user to take advantage of other weaknesses or vulnerabilities, due to the lack of automatic connection termination in response to errors.

Remediation

Users can change the 'terminate_connection_on_failed_response' setting to 'true' to mitigate the issue. However, this cannot be set by default, as it may trigger errors in vehicle ECUs that require resets, causing lengthy unavailability in charging. The maintainers have chosen to keep the default setting as is, prioritizing the avoidance of short-term EVSE unavailability.