EVerest AuthHandler Timing Vulnerability Allows Unauthorized Charging
Vulnerability
A vulnerability in the EVerest EV charging software stack, prior to version 2026.02.0, allows authorization withdrawal to be bypassed, enabling unauthorized charging. This issue arises when the WithdrawAuthorization request is processed before the TransactionStarted event, leading the AuthHandler to incorrectly determine that no transaction is active. Consequently, while the deauthorization process is initiated, the actual charging session is not terminated, allowing charging to continue despite the withdrawal of authorization.
Impact
Exploiting this vulnerability can lead to unauthorized charging, causing a compromise in billing integrity.
Reproduction
The vulnerability can be reproduced by initiating a charging session and then sending a WithdrawAuthorization request before the TransactionStarted event is processed. This can be done by simulating the timing of these events in the AuthHandler component. The absence of the TransactionStarted event at the time of the withdrawal request is key to reproducing the issue.
Remediation
Users should update to EVerest version 2026.02.0 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.