CVE-2026-24003 Overview
CVE-2026-24003 is an authentication bypass vulnerability affecting EVerest, an open-source EV charging software stack. In versions up to and including 2025.12.1, attackers can bypass sequence state verification and authentication controls, allowing unauthorized requests that transition the system to forbidden states. This enables updating the charging context with illegitimate data through malicious ISO 15118-2 protocol messages published to the MQTT server.
Critical Impact
Attackers on adjacent networks can manipulate EV charging stations to prepare for charging operations without proper authentication, potentially leading to unauthorized energy consumption or physical safety concerns at charging infrastructure.
Affected Products
- EVerest EV Charging Software Stack versions up to and including 2025.12.1
- Systems implementing ISO 15118-2 communication protocol with EVerest
- EVerest deployments using MQTT-based message handling
Discovery Timeline
- 2026-01-26 - CVE CVE-2026-24003 published to NVD
- 2026-01-27 - Last updated in NVD database
Technical Details for CVE-2026-24003
Vulnerability Analysis
The vulnerability exists in the state machine implementation within EVerest's EVSEManager Charger module. While authorization is architecturally separated into a dedicated module, the internal state machine can be manipulated through specially crafted ISO 15118-2 messages. Although the state machine cannot transition out of the WaitingForAuthentication state through normal ISO 15118-2 communication, attackers can leverage MQTT message publishing to trick the system into preparing charging operations.
The attack exploits improper authentication controls (CWE-287) in the state transition logic. An attacker with adjacent network access can send crafted ISO 15118-2 messages that are published to the MQTT server, causing the system to prepare for charging and even prepare to send current to the electric vehicle. However, the final step of actually delivering current requires contactor closure, which appears to still require leaving the WaitingForAuthentication state through legitimate means.
Root Cause
The root cause is improper authentication enforcement in the state machine transition logic. The modular design intended for authorization to be handled separately, but the state verification does not adequately validate that authentication has been completed before allowing certain state transitions triggered via ISO 15118-2 messages published to MQTT. This creates a gap where the system can be manipulated into forbidden states without proper credential verification.
Attack Vector
The attack requires adjacent network access to the EVerest deployment. An attacker must be able to communicate with the system via the ISO 15118-2 protocol or access the MQTT message broker. The exploitation flow involves:
- Connecting to the charging station's network from an adjacent position
- Crafting malicious ISO 15118-2 messages designed to manipulate state transitions
- Publishing these messages to the MQTT server to bypass the normal state verification
- Transitioning the system to prepare charging operations without completing authentication
For detailed technical implementation, refer to the EVerest iso_server.cpp source code and the GitHub Security Advisory.
Detection Methods for CVE-2026-24003
Indicators of Compromise
- Unexpected state transitions in EVSEManager logs showing movement toward charging preparation without prior authentication completion
- Anomalous ISO 15118-2 messages appearing in MQTT broker logs that do not follow the expected sequence
- Charging session attempts recorded without corresponding authentication events in audit logs
Detection Strategies
- Monitor MQTT broker traffic for ISO 15118-2 messages that attempt to trigger state transitions outside the normal authentication flow
- Implement logging to capture and alert on state machine transitions that occur while in the WaitingForAuthentication state
- Deploy network intrusion detection systems to identify suspicious traffic patterns from adjacent network sources targeting EV charging infrastructure
Monitoring Recommendations
- Enable verbose logging on the EVSEManager module to capture all state transitions and their triggering events
- Set up alerts for any charging preparation activities that are not preceded by successful authentication events
- Monitor MQTT broker access logs for unauthorized publishers or unexpected message patterns
How to Mitigate CVE-2026-24003
Immediate Actions Required
- Audit network access controls to limit adjacent network connectivity to EVerest deployments
- Implement strict MQTT broker authentication and authorization to prevent unauthorized message publishing
- Review and restrict access to ISO 15118-2 communication interfaces
- Monitor charging stations for unusual state transition patterns indicating exploitation attempts
Patch Information
As of the time of publication, no fixed versions are available from EVerest. Organizations should monitor the EVerest GitHub repository and the security advisory for updates regarding a security patch.
Workarounds
- Implement network segmentation to isolate EV charging infrastructure from untrusted adjacent networks
- Configure MQTT broker ACLs to restrict which clients can publish ISO 15118-2 related messages
- Deploy additional authentication layers at the network level for systems communicating with EVerest
- Consider disabling or restricting ISO 15118-2 functionality until a patch is available, if operationally feasible
# Example MQTT broker ACL configuration to restrict publishing
# Add to your MQTT broker configuration (e.g., mosquitto.conf)
acl_file /etc/mosquitto/acl
# In /etc/mosquitto/acl - restrict ISO 15118-2 topic publishing
topic read everest/iso15118/#
topic write everest/iso15118/# deny
user authorized_evse_controller
topic write everest/iso15118/#
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
