CVE-2025-68140 Overview
CVE-2025-68140 is an authorization bypass vulnerability in EVerest, an open-source EV charging software stack. The vulnerability exists in the V2G (Vehicle-to-Grid) message handling logic where session ID validation can be bypassed by submitting a session ID of 0, which matches the uninitialized default value when no session has been registered.
Critical Impact
Attackers on adjacent networks can bypass session validation to send unauthorized MQTT messages and interact with V2G message handlers, potentially manipulating charging session contexts without proper authentication.
Affected Products
- EVerest everest-core versions prior to 2025.9.0
- EV charging stations running vulnerable EVerest software stacks
- V2G-enabled charging infrastructure with exposed MQTT interfaces
Discovery Timeline
- 2026-01-21 - CVE CVE-2025-68140 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2025-68140
Vulnerability Analysis
This vulnerability is classified under CWE-863 (Incorrect Authorization). The flaw resides in the session validation mechanism of the EVerest V2G message processing component. When a V2G message is received, the system verifies the message validity and then checks if the submitted session ID matches a registered session. However, the implementation uses a default value of 0 for unregistered sessions, creating an exploitable condition.
An attacker operating from an adjacent network can craft V2G messages with a session ID of 0. Since this matches the default uninitialized state, the system incorrectly accepts the message as valid. This allows unauthorized parties to emit MQTT messages and communicate with V2G message handlers without establishing a legitimate session.
Root Cause
The root cause is improper initialization and validation of session identifiers. The system fails to differentiate between an unregistered session state (where session ID defaults to 0) and a legitimately submitted session ID of 0. This design flaw allows session validation bypass by exploiting the default value assumption.
Attack Vector
The attack requires adjacent network access, meaning the attacker must be on the same network segment as the vulnerable EV charging infrastructure. The attack complexity is low, requires no privileges, and no user interaction. The vulnerability allows integrity impact through unauthorized session context manipulation, though it does not directly enable confidentiality breaches or availability disruption.
The exploitation flow involves:
- Attacker gains access to the adjacent network where EVerest-powered charging stations operate
- Attacker crafts a V2G message with session ID set to 0
- The EVerest system validates the message format successfully
- Session ID check passes because 0 matches the uninitialized default value
- Attacker gains ability to send unauthorized MQTT messages and interact with V2G handlers
Detection Methods for CVE-2025-68140
Indicators of Compromise
- V2G messages containing session ID value of 0 from unexpected sources
- Unusual MQTT message patterns originating from unauthenticated endpoints
- Session context modifications without corresponding valid session establishment
- Network traffic from unknown devices attempting V2G protocol communication
Detection Strategies
- Monitor V2G message logs for session ID values of 0 paired with unusual source addresses
- Implement network segmentation monitoring to detect adjacent network access attempts
- Configure MQTT broker logging to track message origins and authentication states
- Deploy network intrusion detection rules for anomalous V2G protocol traffic
Monitoring Recommendations
- Enable detailed logging on EVerest components handling V2G message processing
- Monitor charging station networks for unauthorized device connections
- Implement alerting on session context changes that lack corresponding session establishment events
- Review MQTT broker access logs regularly for unauthenticated or suspicious message submissions
How to Mitigate CVE-2025-68140
Immediate Actions Required
- Upgrade EVerest everest-core to version 2025.9.0 or later immediately
- Audit network segmentation to ensure charging infrastructure is isolated from untrusted adjacent networks
- Review logs for any historical evidence of session ID 0 exploitation attempts
- Implement additional access controls on MQTT broker interfaces
Patch Information
The vulnerability is fixed in EVerest version 2025.9.0. The patch addresses the session ID validation logic to properly distinguish between uninitialized sessions and legitimate session ID submissions. Organizations should prioritize upgrading to the patched version. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Implement strict network segmentation to limit adjacent network access to charging infrastructure
- Configure firewall rules to restrict V2G protocol communication to known trusted devices only
- Enable MQTT authentication and authorization to prevent unauthorized message submissions
- Consider temporarily disabling V2G functionality if upgrade cannot be performed immediately
# Example network segmentation configuration
# Restrict access to charging station VLAN from untrusted networks
iptables -A INPUT -i eth0 -s 192.168.100.0/24 -p tcp --dport 1883 -j DROP
iptables -A INPUT -i eth0 -s 192.168.100.0/24 -p tcp --dport 15118 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
