CVE-2025-68133 Overview
CVE-2025-68133 is a resource exhaustion vulnerability in EVerest, an open-source EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's memory and cause the module to terminate by initiating an unlimited number of TCP connections that never proceed to ISO 15118-2 communication. This is possible because a new thread is started for each incoming plain TCP or TLS socket connection before any verification occurs, and the verification performed is too permissive. The vulnerability affects the EvseV2G module responsible for handling vehicle-to-grid communication.
Critical Impact
Successful exploitation allows an adjacent network attacker to cause a complete denial of service on EV charging stations, shutting down the EVerest processes and all EVSE functionality without requiring authentication or user interaction.
Affected Products
- EVerest everest-core versions 2025.9.0 and below
- EvseV2G module (TCP/TLS connection handling)
- EV charging stations running vulnerable EVerest software stack
Discovery Timeline
- 2026-01-21 - CVE CVE-2025-68133 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2025-68133
Vulnerability Analysis
This vulnerability exists in the connection handling logic of the EvseV2G module within EVerest. The core issue stems from improper resource allocation controls when processing incoming network connections. When a TCP or TLS connection is received, the software spawns a new thread to handle each connection before performing adequate verification. An attacker on the adjacent network can exploit this by establishing numerous connections that are accepted but never complete the ISO 15118-2 handshake, causing unbounded thread creation and memory exhaustion.
The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), which accurately describes the failure to implement connection limits or resource caps. The attack can be executed from an adjacent network position without any privileges or user interaction, and when successful, affects the entire charging infrastructure beyond just the vulnerable component.
Root Cause
The root cause is the absence of connection state tracking before thread allocation. The connection.cpp and tls_connection.cpp files in the EvseV2G module would accept and process any incoming TCP or TLS connection by immediately spawning a handler thread. There was no mechanism to check whether an active connection already existed or to limit concurrent connection attempts. The connection_initiated flag that now tracks connection state was not implemented in vulnerable versions, allowing attackers to flood the system with connection requests.
Attack Vector
An attacker positioned on the same local network segment as the EV charging station can exploit this vulnerability by:
- Establishing multiple TCP or TLS connections to the EvseV2G module
- Keeping connections open without completing ISO 15118-2 protocol negotiation
- Repeating this process to spawn unlimited threads, each consuming system memory
- Exhausting available memory until the EVerest process terminates
- Causing denial of service to all EVSE functionality on the affected charging station
The attack requires adjacent network access but no authentication or privileges, making it relatively straightforward to execute in shared charging environments.
// Security patch in tls_connection.cpp - Connection state tracking added
// Source: https://github.com/EVerest/everest-core/commit/8127b8c54b296c4dd01b356ac26763f81f76a8fd
void handle_new_connection_cb(tls::Server::ConnectionPtr&& con, struct v2g_context* ctx) {
assert(con != nullptr);
assert(ctx != nullptr);
if (ctx->connection_initiated) {
dlog(DLOG_LEVEL_ERROR, "Incoming TLS connection on %s, but there is already an active connection.",
ctx->if_name);
return;
}
ctx->connection_initiated = true;
// create a thread to process this connection
try {
// passing unique pointers through thread parameters is problematic
// Security patch in connection.cpp - Reset connection state on teardown
// Source: https://github.com/EVerest/everest-core/commit/8127b8c54b296c4dd01b356ac26763f81f76a8fd
}
dlog(DLOG_LEVEL_INFO, "TCP connection closed gracefully");
conn->ctx->connection_initiated = false;
if (rv != ERROR_SESSION_ALREADY_STARTED) {
/* cleanup and notify lower layers */
connection_teardown(conn);
Detection Methods for CVE-2025-68133
Indicators of Compromise
- Unusual spike in TCP/TLS connection attempts to EV charging station endpoints
- Rapid memory consumption on systems running EVerest EvseV2G module
- Multiple incomplete ISO 15118-2 sessions from single or multiple source addresses
- EVerest process crashes or unexpected terminations with memory exhaustion errors
- High thread count in EVerest processes without corresponding charging sessions
Detection Strategies
- Monitor network traffic for abnormal connection patterns to charging station communication ports
- Implement connection rate limiting and alerting at the network perimeter for EVSE networks
- Track memory and thread utilization metrics on systems running EVerest software
- Configure process monitoring to alert on EVerest service terminations or restarts
- Deploy network intrusion detection rules for TCP connection flooding patterns
Monitoring Recommendations
- Establish baseline connection rates for normal charging operations and alert on deviations
- Monitor system logs for pthread_create() failures or memory allocation errors in EvseV2G
- Implement real-time alerting for EVerest process crashes or service unavailability
- Track network connection states for incomplete ISO 15118-2 handshakes
- Review adjacent network access controls and segmentation for charging infrastructure
How to Mitigate CVE-2025-68133
Immediate Actions Required
- Upgrade EVerest to version 2025.10.0 or later immediately
- Implement network segmentation to restrict adjacent network access to charging stations
- Apply temporary connection rate limiting at the network level if immediate patching is not possible
- Monitor charging station availability and implement automated restart procedures
- Review and restrict physical network access to charging infrastructure
Patch Information
The vulnerability is fixed in EVerest version 2025.10.0. The fix introduces a connection_initiated flag that tracks whether an active connection exists before accepting new connections. When a connection is already active, new connection attempts are rejected with an error log. The flag is properly reset when connections close gracefully or when threads fail to start. Detailed patch commits are available in the EVerest Security Advisory.
Workarounds
- Implement network-level connection rate limiting for TCP connections to EVSE endpoints
- Deploy firewall rules to restrict access to charging stations from untrusted network segments
- Use VLANs or network segmentation to isolate charging infrastructure from general network access
- Consider implementing application-level connection limits if modifying EVerest configuration is possible
- Enable process watchdog mechanisms to automatically restart EVerest services upon crashes
# Network-level mitigation using iptables to limit connection rate
# Adjust interface and rate limits based on your environment
# Limit new TCP connections per source IP to EVSE ports
iptables -A INPUT -p tcp --dport 15118 -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp --dport 15118 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
# Monitor connection states
netstat -an | grep :15118 | wc -l
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
