CVE-2025-68137 Overview
CVE-2025-68137 is an integer overflow vulnerability in EVerest, an open-source EV charging software stack. The flaw exists in the SdpPacket::parse_header() function where an integer overflow allows the current buffer length to be incorrectly set to 7 after a complete header of size 8 has been read. When calculating the remaining length to read by subtracting the header length from the current length, this results in a negative value. Since the expected argument type is size_t, this negative value is interpreted as SIZE_MAX (or slightly less), leading to catastrophic memory corruption scenarios.
Critical Impact
Depending on whether the server uses plain TCP or TLS, exploitation can result in either an infinite loop causing denial of service or a stack buffer overflow potentially enabling remote code execution from adjacent network positions.
Affected Products
- EVerest everest-core versions prior to 2025.10.0
Discovery Timeline
- 2026-01-21 - CVE CVE-2025-68137 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2025-68137
Vulnerability Analysis
This vulnerability is classified as CWE-120 (Buffer Copy without Checking Size of Input), commonly known as a classic buffer overflow. The root issue is an integer overflow that occurs during header parsing in the Session Descriptor Protocol (SDP) packet handler. The vulnerability is exploitable from an adjacent network position, meaning an attacker must be on the same local network segment as the vulnerable EV charging station.
The attack does not require authentication or user interaction, making it particularly dangerous in shared network environments such as parking garages, commercial charging stations, or fleet management facilities. The scope is changed, indicating the vulnerability can affect resources beyond the vulnerable component's security boundary.
Root Cause
The root cause lies in the SdpPacket::parse_header() function where improper integer handling occurs. After reading a complete 8-byte header, the buffer length tracking variable is erroneously set to 7. When the code subsequently calculates the remaining data to read using subtraction (current_length - header_length), the result is -1. However, since this value is cast to or expected as size_t (an unsigned type), the negative value wraps around to SIZE_MAX, which is the maximum value representable by size_t (typically 18,446,744,073,709,551,615 on 64-bit systems).
Attack Vector
The attack vector is adjacent network-based, requiring the attacker to be on the same network segment as the vulnerable EVerest installation. The exploitation path differs based on the transport layer:
Plain TCP Mode: The massive SIZE_MAX value causes the read loop to attempt reading an impossibly large amount of data, resulting in an infinite loop that consumes CPU resources and renders the charging station unresponsive.
TLS Mode: The same integer overflow triggers a stack buffer overflow condition. The code attempts to write data beyond allocated stack buffer boundaries, potentially allowing an attacker to overwrite return addresses and gain control of program execution flow.
The vulnerability requires no authentication and can be triggered by sending specially crafted SDP packets to the charging station's network interface. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2025-68137
Indicators of Compromise
- Unexpected high CPU utilization on EV charging station controllers that may indicate an infinite loop condition
- Network traffic anomalies showing malformed or oversized SDP packets directed at charging infrastructure
- System crashes or unexpected restarts of the EVerest service, particularly when TLS is enabled
- Stack traces or core dumps indicating buffer overflow conditions in SDP packet handling functions
Detection Strategies
- Deploy network intrusion detection systems (IDS) with rules to identify malformed SDP packets targeting EV charging infrastructure
- Monitor EVerest service logs for parsing errors, unexpected disconnections, or memory-related crashes
- Implement anomaly detection for adjacent network traffic patterns targeting charging station ports
- Use SentinelOne Singularity platform to detect exploitation attempts through behavioral analysis of buffer overflow conditions
Monitoring Recommendations
- Enable verbose logging for the EVerest SDP packet processing module to capture parsing anomalies
- Configure alerting for EVerest service availability to detect denial of service conditions promptly
- Monitor memory usage patterns on charging station controllers for signs of buffer overflow attempts
- Implement network segmentation monitoring to detect unauthorized adjacent network access to charging infrastructure
How to Mitigate CVE-2025-68137
Immediate Actions Required
- Update EVerest everest-core to version 2025.10.0 or later immediately
- Isolate EV charging infrastructure on dedicated network segments with strict access controls
- Implement network access control lists (ACLs) to restrict adjacent network access to authorized devices only
- Enable enhanced logging and monitoring on charging stations until patches can be applied
Patch Information
The EVerest project has addressed this vulnerability in version 2025.10.0. Organizations should update to this version or later to remediate the integer overflow condition in SdpPacket::parse_header(). The fix ensures proper bounds checking and type handling to prevent the negative value interpretation as SIZE_MAX. For patch details, consult the GitHub Security Advisory.
Workarounds
- Place EV charging stations behind a firewall that restricts adjacent network access to only trusted management systems
- Implement 802.1X network authentication to prevent unauthorized devices from gaining adjacent network access to charging infrastructure
- Use VLANs to segment charging station networks from general user networks
- If TLS mode is in use, consider temporarily switching to plain TCP behind a secure network perimeter to convert potential code execution to DoS (less severe) while awaiting patches
# Network segmentation example using firewall rules
# Restrict access to EVerest charging stations (example port 15118)
iptables -A INPUT -p tcp --dport 15118 -s 192.168.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 15118 -j DROP
# Enable logging for dropped connection attempts
iptables -A INPUT -p tcp --dport 15118 -j LOG --log-prefix "EVerest-blocked: "
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
