VYPR
Unrated severityOSV Advisory· Published Jan 26, 2026· Updated Jan 27, 2026

EvseV2G has sequence state validation bypass

CVE-2026-24003

Description

EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current one, thereby updating the current context with illegitimate data.cThanks to the modular design of EVerest, authorization is handled in a separate module and EVSEManager Charger internal state machine cannot transition out of the WaitingForAuthentication state through ISO 15118-2 communication. From this state, it was however possible through ISO 15118-2 messages which are published to the MQTT server to trick it into preparing to charge, and even to prepare to send current. The final requirement to actually send current to the EV was the closure of the contactors, which does not appear to be possible without leaving the WaitingForAuthentication state and leveraging ISO 15118-2 messages. As of time of publication, no fixed versions are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Everest/Everest CoreOSV2 versions
    2022.12.0, 2022.12.1, 2023.1.0, …+ 1 more
    • (no CPE)range: 2022.12.0, 2022.12.1, 2023.1.0, …
    • (no CPE)range: <=2025.12.1

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.