EVerest EV Charging Software Remote Stop Bypass Vulnerability

A vulnerability in EVerest, an EV charging software stack, allows the Electric Vehicle Supply Equipment (EVSE) to resume charging sessions immediately after a remote stop command is issued. This is possible through the EV's BCB toggle, which can reactivate the session by returning the EVSE to the 'PrepareCharging' state. This behavior undermines the intended irreversibility of the remote stop process and can circumvent operational, billing, and safety controls. The vulnerability affects EVerest versions prior to 2026.02.0, with the issue stemming from the 'cancel_transaction()' function not properly deactivating the transaction state. As a result, the EVSE manager can mistakenly interpret the session as still active, allowing unauthorized restarts of charging sessions, potentially leading to energy theft and billing fraud.

Impact

Exploitation of this vulnerability bypasses the remote stop function, allowing charging sessions to be restarted improperly. This not only facilitates potential energy theft and billing fraud but also creates risks by bypassing established operational and safety controls.

Reproduction

The vulnerability can be reproduced by first initiating a charging session and then sending a remote stop command through the OCPP interface. After the EVSE manager processes the stop request, the BCB toggle can be used to restart the session, despite the remote stop being intended as a final action. This issue can be verified by observing the EVSE state transition back to 'PrepareCharging' and the transaction state remaining active, which should not occur after a remote stop has been executed.

Remediation

Users can update to EVerest version 2026.02.0 or later, where this vulnerability has been patched.