EVerest EV Charging Software Remote Stop Bypass Vulnerability

A vulnerability in EVerest EV charging software prior to version 2026.02.0 allows a delayed authorization response during RemoteStop processing to bypass the intended transaction termination. This issue can lead to open transactions even after a remote stop has been initiated, potentially compromising billing and transaction integrity. The vulnerability arises because the authorization state is not properly managed, allowing transactions to remain active when they should be stopped.

Impact

Exploitation of this vulnerability bypasses the remote stop functionality, allowing transactions to remain open and active, which can lead to unauthorized billing or charges.

Reproduction

The vulnerability can be reproduced by first initiating a remote stop, which successfully cancels the transaction by setting the authorization state to false. Then, a delayed authorization response is sent, which re-enables the authorization without proper validation. Finally, when a PowerOff event occurs, the transaction is not terminated as it should be, allowing it to remain open.

Remediation

Users should update to EVerest version 2026.02.0 or later, where this vulnerability has been patched.