CVE-2025-68134 is a vulnerability classified under CWE-20 (Improper Input Validation) affecting the everest-core component of the EVerest EV charging software stack. The root cause is the use of the assert function for error handling in versions prior to 2025.10.0. When invalid input or unexpected conditions trigger an assert failure, the affected module crashes. The EVerest manager process, responsible for orchestrating multiple modules managing Electric Vehicle Supply Equipment (EVSE), is designed to shut down all modules and exit if any single module terminates unexpectedly. This design flaw leads to a cascading failure resulting in a denial of service across all managed EVSE units. The vulnerability can be exploited remotely without authentication or user interaction, as the attack surface includes network-accessible interfaces of the EV charging management system. Although there are no known exploits in the wild as of the publication date, the high CVSS score of 7.4 reflects the significant impact on availability and the ease of exploitation. The vulnerability does not affect confidentiality or integrity, but the complete service disruption can severely impact EV charging operations. The issue is resolved in version 2025.10.0 by replacing assert-based error handling with more resilient mechanisms that prevent the manager from shutting down all modules upon a single module failure.

For European organizations operating EV charging infrastructure using the affected EVerest everest-core versions, this vulnerability poses a significant risk of widespread denial of service. The cascading shutdown of all EVSE modules managed by the software can disrupt charging services for multiple users simultaneously, potentially causing operational downtime, customer dissatisfaction, and financial losses. Given the increasing reliance on EV infrastructure to meet EU climate goals and the growing EV adoption rates, such disruptions could have broader implications on transportation and energy sectors. Critical infrastructure operators and commercial charging station providers may face reputational damage and regulatory scrutiny if service availability is compromised. Additionally, the vulnerability could be exploited by threat actors aiming to cause disruption or leverage the downtime for further attacks. The lack of confidentiality or integrity impact limits data breach concerns, but availability impact alone is substantial given the essential nature of EV charging services.

The primary mitigation is to upgrade all affected EVerest everest-core installations to version 2025.10.0 or later, where the assert-based error handling has been replaced with robust mechanisms preventing manager shutdown on module failure. Organizations should implement rigorous input validation and error handling practices within their EV charging software stacks to avoid similar cascading failures. Network segmentation and access controls should be enforced to limit exposure of management interfaces to untrusted networks. Monitoring and alerting should be enhanced to detect module crashes promptly and enable rapid response before full service disruption occurs. Additionally, operators should conduct regular software audits and vulnerability assessments on EV infrastructure components. In environments where immediate patching is not feasible, temporary mitigations could include isolating vulnerable modules or deploying redundant management systems to maintain service continuity.