CVE-2025-68139 identifies a session fixation vulnerability (CWE-384) in the EVerest everest-core software, a critical component of the EV charging infrastructure. The issue stems from the default configuration parameter 'terminate_connection_on_failed_response' being set to false in all versions up to 2025.12.1. This setting means that when the module encounters errors, it logs them but does not terminate or reset the session or connection, leaving sessions potentially open and vulnerable to fixation attacks. Session fixation allows an attacker to set or maintain a valid session identifier, which can then be used to hijack or manipulate sessions, potentially enabling exploitation of other vulnerabilities or unauthorized actions within the charging system. The maintainers have chosen not to change the default to true because enabling session termination on failed responses can cause vehicle ECUs to reset, leading to extended unavailability of charging services, which is considered a greater operational risk. Although no exploits are currently known in the wild, the vulnerability's existence requires attention due to the critical role of EV charging infrastructure. The CVSS 3.1 score of 4.3 reflects a medium severity with an attack vector over the network, low attack complexity, no privileges required, no user interaction, and limited impact on integrity without affecting confidentiality or availability. This vulnerability highlights the trade-off between security and operational stability in embedded automotive systems.

For European organizations operating EV charging infrastructure using EVerest everest-core, this vulnerability could allow attackers to fixate sessions and potentially exploit other weaknesses, leading to unauthorized manipulation of charging sessions or disruption of service integrity. While the vulnerability does not directly compromise confidentiality or availability, the integrity impact could affect billing accuracy, session management, or user authentication processes. Given the increasing adoption of EVs and charging networks across Europe, exploitation could undermine trust in EV infrastructure and cause operational disruptions. However, the risk of widespread exploitation is mitigated by the lack of known exploits and the requirement that attackers can interact with the charging system network. The operational decision to keep the default setting to avoid ECU resets means organizations must carefully weigh security improvements against potential service downtime. European critical infrastructure operators and EV service providers should prioritize patching or configuration changes in controlled environments to reduce risk without impacting vehicle availability.

1. Evaluate the feasibility of setting 'terminate_connection_on_failed_response' to true in controlled environments to enforce session termination on failed responses, reducing session fixation risk. 2. Implement network segmentation and strict access controls around EV charging infrastructure to limit exposure to untrusted networks and potential attackers. 3. Monitor logs for repeated failed responses or suspicious session behaviors that could indicate exploitation attempts. 4. Coordinate with vehicle manufacturers and software maintainers to understand the impact of configuration changes on ECU stability and explore firmware updates that mitigate ECU reset issues. 5. Develop incident response plans specific to EV charging infrastructure to quickly address potential session fixation or related attacks. 6. Stay updated with vendor advisories and apply patches or configuration recommendations as they become available. 7. Consider deploying additional authentication or session management layers at the network or application level to complement the software's built-in mechanisms. 8. Conduct regular security assessments and penetration testing focused on session management within EV charging systems.