EVerest Sequence State Validation Bypass Vulnerability in EV Charging Software

A vulnerability exists in EVerest, an EV charging software stack, in versions through 2025.12.1. This vulnerability allows for a bypass of the sequence state verification, including authentication, enabling the sending of requests that transition to forbidden states. As a result, the current context can be updated with illegitimate data. The issue arises from the modular design of EVerest, where authorization is managed separately. The internal state machine of the EVSEManager Charger cannot move out of the 'WaitingForAuthentication' state via ISO 15118-2 communication. However, it is possible to exploit this vulnerability by sending ISO 15118-2 messages through the MQTT server, tricking the system into preparing to charge and even initiating the flow of current to the vehicle. The only requirement to actually deliver current was to close the contactors, which typically cannot be done without leaving the 'WaitingForAuthentication' state and using ISO 15118-2 messages. As of the publication date, no fixed versions are available.

Impact

Exploitation of this vulnerability leads to unauthorized access to ISO 15118-2 V2G states, allowing manipulation of the charging process by sending illegitimate data that could disrupt the expected sequence of events.