CVE-2025-68135 is a vulnerability classified under CWE-703, indicating improper check or handling of exceptional conditions. Specifically, in the EVerest everest-core software versions prior to 2025.10.0, the TbdController loop does not properly handle C++ exceptions. When an exception occurs, the loop and its caller silently terminate without logging or recovery, causing a denial of service. The TbdController is responsible for managing SDP (Session Description Protocol) and ISO15118-20 servers, which are essential components in electric vehicle charging communication standards. The failure of these servers disrupts communication between EVs and charging stations, potentially halting charging sessions. The vulnerability has a CVSS v3.1 score of 6.5, reflecting medium severity, with an attack vector over the network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N, I:N), but high impact on availability (A:H). There are no known exploits in the wild as of the publication date. The issue was reserved in December 2025 and published in January 2026, with the fix released in version 2025.10.0. The vulnerability highlights the importance of robust exception handling in critical infrastructure software to maintain service availability.

The primary impact of CVE-2025-68135 is a denial of service affecting the SDP and ISO15118-20 servers within the EVerest everest-core platform. For European organizations operating electric vehicle charging infrastructure, this can lead to service outages, preventing EVs from establishing or maintaining charging sessions. Such disruptions can degrade user experience, reduce operational efficiency, and potentially cause financial losses due to downtime. Given the increasing adoption of electric vehicles across Europe, especially in countries with aggressive EV policies, the availability of charging infrastructure is critical. A DoS in these communication servers could also undermine trust in EV infrastructure providers and slow EV adoption. While confidentiality and integrity are not impacted, the availability impact is significant, especially for public or commercial charging networks. The lack of required privileges or user interaction means attackers could exploit this remotely if they have network access, increasing the risk profile. Organizations may also face reputational damage and regulatory scrutiny if service disruptions affect compliance with energy or transportation regulations.

To mitigate CVE-2025-68135, European organizations should prioritize upgrading the EVerest everest-core software to version 2025.10.0 or later, where the exception handling flaw is fixed. Until patching is complete, implement network segmentation and access controls to limit exposure of the affected SDP and ISO15118-20 servers to untrusted networks. Deploy monitoring and alerting for unexpected termination of the TbdController process or related services to enable rapid incident response. Consider implementing redundancy and failover mechanisms for critical EV charging communication components to maintain availability during failures. Conduct regular code reviews and testing focused on exception handling robustness in critical infrastructure software. Additionally, maintain an inventory of all systems running EVerest everest-core to ensure no vulnerable instances remain. Collaborate with vendors and industry groups to share threat intelligence and best practices related to EV charging infrastructure security. Finally, incorporate this vulnerability into incident response and business continuity planning to minimize operational impact.