CVE-2025-68134 is a vulnerability classified under CWE-20 (Improper Input Validation) affecting the EVerest everest-core software, a critical component of the EVerest EV charging software stack. The root cause is the inappropriate use of the assert function for error handling in versions prior to 2025.10.0. When invalid input triggers an assertion failure, the affected module crashes. The EVerest manager process, responsible for orchestrating multiple EVSE (Electric Vehicle Supply Equipment) modules, is designed to shut down all modules and exit if any single module terminates unexpectedly. This design flaw leads to a cascading denial of service, impacting all EVSE managed by the system and thereby multiple users simultaneously. The vulnerability does not compromise confidentiality or integrity but severely impacts availability. Exploitation requires no privileges or user interaction, and the attack vector is network-based (AV:A - adjacent network). The CVSS v3.1 base score is 7.4 (high), reflecting the ease of exploitation and the broad impact on availability and system scope (S:C - changed scope). Although no exploits have been reported in the wild, the vulnerability is critical for operators of EV charging infrastructure. The fix was introduced in version 2025.10.0 by replacing assert-based error handling with more resilient input validation and error management mechanisms.

For European organizations operating EV charging infrastructure using EVerest everest-core, this vulnerability can cause widespread denial of service, disrupting EV charging availability for multiple users simultaneously. This can lead to operational downtime, customer dissatisfaction, and potential financial losses, especially in regions with high EV adoption. The cascading shutdown of modules affects the reliability and availability of charging stations, which are critical for supporting Europe’s transition to sustainable transportation. Additionally, service outages could impact public perception and trust in EV infrastructure providers. In critical urban areas or along major transit corridors, such disruptions could have broader economic and mobility consequences. Since the vulnerability does not affect confidentiality or integrity, data breaches or manipulation are not a concern here, but the availability impact alone is significant given the reliance on EV charging services.

The primary mitigation is to upgrade all affected EVerest everest-core installations to version 2025.10.0 or later, where the assert-based error handling has been replaced with proper input validation and robust error management. Organizations should audit their EVSE management systems to identify any instances running vulnerable versions. Additionally, implement network segmentation and monitoring to detect abnormal module terminations or crashes that could indicate exploitation attempts. Employ rigorous input validation at all interfaces exposed to network inputs to prevent malformed data from triggering assertion failures. Consider deploying redundancy and failover mechanisms in the EVSE management architecture to minimize service disruption if a module fails. Regularly review and test error handling logic in critical software components to avoid similar single points of failure. Finally, maintain up-to-date incident response plans tailored to EV infrastructure outages.