CVE-2025-68136 Overview
CVE-2025-68136 is a null pointer dereference vulnerability in EVerest, an open-source EV charging software stack. The vulnerability exists in the Session Discovery Protocol (SDP) request handling mechanism, where improper resource management leads to a denial of service condition. When the module receives an SDP request, it creates new Session and IConnection objects that open TCP sockets for ISO15118-20 communications without properly closing and destroying previous instances. This resource leak combined with improper pointer handling can result in a null pointer dereference, causing system crashes.
Critical Impact
Adjacent network attackers can exploit this vulnerability to cause denial of service in EV charging infrastructure without authentication, potentially disrupting electric vehicle charging operations.
Affected Products
- EVerest everest-core versions prior to 2025.10.0
- EV charging stations running vulnerable EVerest software stack
- ISO15118-20 communication modules within EVerest
Discovery Timeline
- 2026-01-21 - CVE CVE-2025-68136 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2025-68136
Vulnerability Analysis
This vulnerability stems from improper allocation of resources without limits or throttling (CWE-770) in the EVerest charging software stack. The core issue manifests in the SDP request handling logic where each incoming request triggers the creation of new session objects without proper cleanup of existing resources.
When the module processes an SDP request, it instantiates new Session and IConnection objects, opening fresh TCP sockets for ISO15118-20 communications. The problematic behavior occurs because these operations happen without first closing and destroying the previous session instances. The previous Session object is not preserved, and the unique_ptr usage pattern causes premature destruction of connection data.
The vulnerability becomes exploitable when the socket file descriptor is not the last one in the sequence, leading to a null pointer dereference. This condition causes the application to crash, resulting in denial of service for the EV charging station.
Root Cause
The root cause is improper resource lifecycle management in the SDP request handler. The code creates new session objects upon each SDP request but fails to properly deallocate previous instances. The use of unique_ptr for session management results in automatic destruction of connection data when the pointer is overwritten, but the callbacks registered for file descriptors may still reference the destroyed objects. When these callbacks are invoked for non-terminal file descriptors, the null pointer dereference occurs.
Attack Vector
The vulnerability requires adjacent network access, meaning an attacker must be on the same local network segment as the vulnerable EV charging station. The attack can be executed without authentication or user interaction. An attacker can send crafted SDP requests to trigger the resource exhaustion and subsequent null pointer dereference condition.
The attack flow involves:
- Attacker identifies an EVerest-based charging station on the local network
- Attacker sends multiple SDP requests to the target
- Each request creates new session objects without cleanup
- Eventually, a null pointer dereference occurs when callbacks reference destroyed connection data
- The charging station service crashes, denying service to legitimate users
Detection Methods for CVE-2025-68136
Indicators of Compromise
- Unexpected service crashes or restarts of the EVerest charging module
- Abnormal patterns of SDP requests from single sources on the local network
- Memory consumption anomalies in the charging station software
- Repeated TCP connection establishment attempts to ISO15118-20 ports
Detection Strategies
- Monitor for crash dumps or core files generated by the EVerest process indicating null pointer dereference
- Implement network traffic analysis for unusual SDP request patterns on the charging infrastructure network
- Deploy application-level logging to track session creation and destruction events
- Use memory profiling tools to detect resource leaks in the charging software
Monitoring Recommendations
- Configure logging for all SDP request handling events with timestamps and source addresses
- Set up automated alerting for EVerest service crashes or unexpected restarts
- Monitor system resources (memory, file descriptors) on charging station hardware
- Implement network segmentation monitoring to detect unauthorized adjacent network access
How to Mitigate CVE-2025-68136
Immediate Actions Required
- Upgrade EVerest everest-core to version 2025.10.0 or later immediately
- Implement network segmentation to isolate EV charging infrastructure from untrusted networks
- Enable rate limiting for SDP requests at the network level where possible
- Monitor charging stations for signs of exploitation attempts
Patch Information
The vulnerability is fixed in EVerest everest-core version 2025.10.0. This update addresses the improper resource management by ensuring proper cleanup of previous session objects before creating new ones. Organizations should prioritize updating all affected charging infrastructure to the patched version.
For detailed patch information and security advisory, refer to the GitHub Security Advisory.
Workarounds
- Implement strict network access controls to limit which devices can communicate with charging stations
- Deploy intrusion detection systems to monitor for SDP request flooding attempts
- Consider temporary service restrictions during high-risk periods until patching is complete
- Enable service monitoring and automatic restart capabilities to minimize downtime from crashes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
