Platform
other
Component
everest-core
Fixed in
2025.12.2
CVE-2026-24003 describes an authentication bypass vulnerability discovered in Everest-Core, an EV charging software stack. This flaw allows attackers to circumvent sequence state verification, potentially manipulating the charging process and injecting illegitimate data. The vulnerability affects versions up to 2025.12.1, and a patch is available in version 2025.12.2.
Successful exploitation of CVE-2026-24003 could allow an attacker to manipulate the EV charging process without proper authentication. This could lead to unauthorized charging sessions, potentially incurring costs for the legitimate user or the charging station operator. The attacker could also potentially alter the charging parameters, leading to safety concerns or damage to the electric vehicle. While the description notes limitations preventing transitions out of the WaitingForAuthentication state, the ability to bypass authentication and manipulate state transitions represents a significant security risk.
CVE-2026-24003 was publicly disclosed on January 26, 2026. The vulnerability's impact stems from the ability to bypass authentication, a common attack vector in charging infrastructure. There is currently no indication of active exploitation or inclusion in the CISA KEV catalog. Public proof-of-concept code is not yet available.
Exploit Status
EPSS
0.23% (45% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24003 is to upgrade Everest-Core to version 2025.12.2 or later, which includes the fix for this vulnerability. If an immediate upgrade is not possible, consider implementing stricter access controls and monitoring charging sessions for suspicious activity. While specific WAF rules or proxy configurations are not detailed, monitoring for unusual ISO 15118-2 communication patterns could provide an early warning of potential exploitation attempts. After upgrading, verify the fix by attempting to initiate a charging session without proper authentication and confirming that the state verification is enforced.
Update to a version later than 2025.12.1 when available. No fixed versions are currently available. Monitor the EVerest repository for updates and apply the security patch as soon as it is published.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24003 is a medium-severity vulnerability in Everest-Core versions up to 2025.12.1 that allows attackers to bypass authentication and manipulate charging states.
You are affected if you are using Everest-Core version 2025.12.1 or earlier. Upgrade to version 2025.12.2 or later to mitigate the risk.
Upgrade Everest-Core to version 2025.12.2 or later. If immediate upgrade is not possible, implement stricter access controls and monitor charging sessions.
There is currently no indication of active exploitation of CVE-2026-24003.
Refer to the official Everest-Core documentation and security advisories for the latest information regarding CVE-2026-24003.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.