CVE-2026-33015 Overview
CVE-2026-33015 is an authorization bypass vulnerability in EVerest, an open-source EV charging software stack. Prior to version 2026.02.0, even immediately after a Charging Station Management System (CSMS) performs a RemoteStop (StopTransaction), the Electric Vehicle Supply Equipment (EVSE) can return to PrepareCharging via the EV's BCB (Basic Charging Communication) toggle, allowing session restart. This breaks the irreversibility of remote stop and can bypass operational, billing, and safety controls.
Critical Impact
This vulnerability allows an attacker with physical access to an EV charging station to bypass remote stop commands, potentially circumventing billing systems and safety controls intended to halt charging sessions.
Affected Products
- EVerest EV charging software stack versions prior to 2026.02.0
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33015 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33015
Vulnerability Analysis
This vulnerability is classified under CWE-863 (Incorrect Authorization), which occurs when software does not properly verify that an actor has been authorized to access a resource or perform an action. In the context of EVerest, the authorization bypass manifests in the charging session state machine handling.
When a CSMS issues a RemoteStop command via StopTransaction, the expectation is that the charging session terminates irreversibly until a new, properly authorized session is initiated. However, due to improper state management in affected versions, the EV can manipulate the BCB toggle to force the EVSE back into the PrepareCharging state, effectively restarting the session without proper authorization.
The physical access requirement means an attacker must be present at the charging station, but this is often a realistic scenario in public charging infrastructure where EVs are left unattended during charging.
Root Cause
The root cause lies in the improper handling of state transitions after a RemoteStop command is received. The EVerest software stack fails to properly lock the session state following a remote termination request, allowing the BCB toggle signal from the connected EV to override the intended stopped state. This represents a fundamental flaw in the authorization logic governing session state transitions.
Attack Vector
The attack requires physical access to an EV charging station running a vulnerable version of EVerest. An attacker would:
- Connect an EV (or EV simulator) to a charging station that has received a RemoteStop command
- Manipulate the BCB (Basic Charging Communication) toggle signal
- Force the EVSE back into PrepareCharging state
- Resume charging despite the remote stop command
This attack vector allows bypassing operational controls, billing mechanisms, and safety protocols that depend on the irreversibility of remote stop commands. The vulnerability is particularly concerning in scenarios where remote stops are issued for safety reasons or to prevent unauthorized energy consumption.
Detection Methods for CVE-2026-33015
Indicators of Compromise
- Charging sessions resuming after RemoteStop commands have been issued
- Unexpected state transitions from Stopped to PrepareCharging in EVSE logs
- Discrepancies between CSMS session records and actual charging activity
- BCB toggle events occurring immediately after StopTransaction commands
Detection Strategies
- Monitor EVSE state machine logs for unauthorized transitions following RemoteStop commands
- Implement alerting on charging sessions that resume within a short time window after remote termination
- Audit billing records for sessions that show charging activity after stop commands
- Deploy network monitoring to correlate CSMS stop commands with actual EVSE behavior
Monitoring Recommendations
- Enable detailed logging of all state transitions in the EVerest charging stack
- Implement real-time monitoring of CSMS command execution and EVSE response
- Set up alerts for any PrepareCharging state entry that occurs without a corresponding new authorization
- Regularly audit charging session logs for anomalies in stop/start patterns
How to Mitigate CVE-2026-33015
Immediate Actions Required
- Upgrade EVerest to version 2026.02.0 or later immediately
- Review charging session logs for evidence of exploitation
- Implement additional monitoring on charging stations while upgrade is in progress
- Consider temporarily disabling remote stop functionality if upgrade cannot be performed immediately
Patch Information
The vulnerability is addressed in EVerest version 2026.02.0. The patch ensures that RemoteStop commands result in an irreversible session termination that cannot be bypassed via BCB toggle manipulation. Users should update their EVerest installations to this version or later. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Implement network-level controls to prevent unauthorized session restarts at the CSMS level
- Deploy physical security measures to limit access to charging stations during charging sessions
- Configure EVSE to require explicit re-authorization for any session following a RemoteStop
- Monitor and alert on BCB toggle events following stop commands until patches can be applied
# Verify EVerest version after upgrade
everest --version
# Expected output should show version 2026.02.0 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
