CVE-2025-68139: CWE-384: Session Fixation in EVerest everest-core
CVE-2025-68139 is a session fixation vulnerability in the EVerest everest-core EV charging software stack affecting versions up to 2025. 12. 1. The default configuration does not terminate sessions or connections upon failed responses, allowing attackers to potentially exploit session management weaknesses. Although changing the setting to terminate connections on failure mitigates the issue, it is not enabled by default due to risks of causing ECU resets and vehicle charging unavailability. The vulnerability has a medium severity with a CVSS score of 4. 3, indicating limited impact on confidentiality and integrity without affecting availability. No known exploits are reported in the wild. European EV charging infrastructure operators using EVerest software should carefully evaluate the trade-offs between security and operational stability. Mitigation involves enabling the terminate_connection_on_failed_response setting while preparing for possible vehicle ECU disruptions.
AI Analysis
Technical Summary
CVE-2025-68139 is a session fixation vulnerability classified under CWE-384 found in the EVerest everest-core software, a critical component of the EV charging ecosystem. The vulnerability arises because the default configuration for the parameter terminate_connection_on_failed_response is set to false, meaning that when the module encounters errors, it logs them but does not reset or terminate the session or connection. This behavior leaves session management responsibilities to the electric vehicle (EV) itself, potentially allowing an attacker to exploit session fixation or other related session management weaknesses. Session fixation attacks can enable an attacker to hijack or manipulate sessions by forcing a user to use a known session identifier. The maintainers have chosen not to enable the safer setting by default because doing so can cause vehicle electronic control units (ECUs) to reset, resulting in temporary unavailability of charging services and operational disruptions. This trade-off prioritizes vehicle stability over immediate security hardening. The vulnerability affects all versions up to and including 2025.12.1. The CVSS v3.1 score is 4.3 (medium severity), reflecting that the attack vector is adjacent network (AV:A), requires no privileges or user interaction, and impacts integrity but not confidentiality or availability. No public exploits have been reported yet, but the vulnerability could be leveraged as part of a broader attack chain targeting EV charging infrastructure or vehicle systems. The lack of a default secure configuration means that operators must proactively adjust settings to mitigate risk, balancing security with operational constraints.
Potential Impact
For European organizations, particularly those operating EV charging infrastructure or managing fleets of electric vehicles, this vulnerability poses a moderate risk. Exploitation could allow attackers to manipulate session states, potentially enabling unauthorized actions or facilitating further attacks on the EV or charging station systems. While the vulnerability does not directly compromise confidentiality or availability, it undermines session integrity, which could lead to unauthorized charging sessions, billing fraud, or disruption of charging workflows. The operational impact is complicated by the fact that enabling the mitigation setting may cause vehicle ECU resets, leading to temporary unavailability of charging services and customer dissatisfaction. This trade-off could affect service reliability and trust in EV charging networks. Given Europe's strong push towards EV adoption and the critical role of charging infrastructure, any disruption or security compromise could have cascading effects on transportation and energy sectors. Additionally, attackers might leverage this vulnerability as a foothold for more sophisticated attacks targeting connected vehicle systems or grid management components.
Mitigation Recommendations
European EV charging operators and software integrators using EVerest everest-core should immediately evaluate the feasibility of enabling the terminate_connection_on_failed_response setting to true, understanding that this may cause ECU resets and temporary vehicle charging unavailability. To mitigate operational impact, operators should implement this change during planned maintenance windows and communicate potential disruptions to customers. Additionally, monitoring and anomaly detection should be enhanced around session management events to detect suspicious session fixation attempts or abnormal session behaviors. Operators should also ensure that their EVSE (Electric Vehicle Supply Equipment) firmware and software are updated to the latest versions beyond 2025.12.1 once patches or safer default configurations become available. Network segmentation and strict access controls should be enforced to limit exposure of the EV charging management interfaces to trusted networks only. Finally, collaboration with vehicle manufacturers to better understand ECU reset impacts and explore firmware updates that tolerate stricter session management policies without causing resets could provide a longer-term resolution.
Affected Countries
Germany, Netherlands, Norway, France, United Kingdom
CVE-2025-68139: CWE-384: Session Fixation in EVerest everest-core
Description
CVE-2025-68139 is a session fixation vulnerability in the EVerest everest-core EV charging software stack affecting versions up to 2025. 12. 1. The default configuration does not terminate sessions or connections upon failed responses, allowing attackers to potentially exploit session management weaknesses. Although changing the setting to terminate connections on failure mitigates the issue, it is not enabled by default due to risks of causing ECU resets and vehicle charging unavailability. The vulnerability has a medium severity with a CVSS score of 4. 3, indicating limited impact on confidentiality and integrity without affecting availability. No known exploits are reported in the wild. European EV charging infrastructure operators using EVerest software should carefully evaluate the trade-offs between security and operational stability. Mitigation involves enabling the terminate_connection_on_failed_response setting while preparing for possible vehicle ECU disruptions.
AI-Powered Analysis
Technical Analysis
CVE-2025-68139 is a session fixation vulnerability classified under CWE-384 found in the EVerest everest-core software, a critical component of the EV charging ecosystem. The vulnerability arises because the default configuration for the parameter terminate_connection_on_failed_response is set to false, meaning that when the module encounters errors, it logs them but does not reset or terminate the session or connection. This behavior leaves session management responsibilities to the electric vehicle (EV) itself, potentially allowing an attacker to exploit session fixation or other related session management weaknesses. Session fixation attacks can enable an attacker to hijack or manipulate sessions by forcing a user to use a known session identifier. The maintainers have chosen not to enable the safer setting by default because doing so can cause vehicle electronic control units (ECUs) to reset, resulting in temporary unavailability of charging services and operational disruptions. This trade-off prioritizes vehicle stability over immediate security hardening. The vulnerability affects all versions up to and including 2025.12.1. The CVSS v3.1 score is 4.3 (medium severity), reflecting that the attack vector is adjacent network (AV:A), requires no privileges or user interaction, and impacts integrity but not confidentiality or availability. No public exploits have been reported yet, but the vulnerability could be leveraged as part of a broader attack chain targeting EV charging infrastructure or vehicle systems. The lack of a default secure configuration means that operators must proactively adjust settings to mitigate risk, balancing security with operational constraints.
Potential Impact
For European organizations, particularly those operating EV charging infrastructure or managing fleets of electric vehicles, this vulnerability poses a moderate risk. Exploitation could allow attackers to manipulate session states, potentially enabling unauthorized actions or facilitating further attacks on the EV or charging station systems. While the vulnerability does not directly compromise confidentiality or availability, it undermines session integrity, which could lead to unauthorized charging sessions, billing fraud, or disruption of charging workflows. The operational impact is complicated by the fact that enabling the mitigation setting may cause vehicle ECU resets, leading to temporary unavailability of charging services and customer dissatisfaction. This trade-off could affect service reliability and trust in EV charging networks. Given Europe's strong push towards EV adoption and the critical role of charging infrastructure, any disruption or security compromise could have cascading effects on transportation and energy sectors. Additionally, attackers might leverage this vulnerability as a foothold for more sophisticated attacks targeting connected vehicle systems or grid management components.
Mitigation Recommendations
European EV charging operators and software integrators using EVerest everest-core should immediately evaluate the feasibility of enabling the terminate_connection_on_failed_response setting to true, understanding that this may cause ECU resets and temporary vehicle charging unavailability. To mitigate operational impact, operators should implement this change during planned maintenance windows and communicate potential disruptions to customers. Additionally, monitoring and anomaly detection should be enhanced around session management events to detect suspicious session fixation attempts or abnormal session behaviors. Operators should also ensure that their EVSE (Electric Vehicle Supply Equipment) firmware and software are updated to the latest versions beyond 2025.12.1 once patches or safer default configurations become available. Network segmentation and strict access controls should be enforced to limit exposure of the EV charging management interfaces to trusted networks only. Finally, collaboration with vehicle manufacturers to better understand ECU reset impacts and explore firmware updates that tolerate stricter session management policies without causing resets could provide a longer-term resolution.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-12-15T18:15:08.403Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69712e204623b1157ce8e0b8
Added to database: 1/21/2026, 7:50:56 PM
Last enriched: 1/29/2026, 8:45:37 AM
Last updated: 2/7/2026, 11:31:31 AM
Views: 48
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2083: SQL Injection in code-projects Social Networking Site
MediumCVE-2026-2082: OS Command Injection in D-Link DIR-823X
MediumCVE-2026-2080: Command Injection in UTT HiPER 810
HighCVE-2026-2079: Improper Authorization in yeqifu warehouse
MediumCVE-2026-1675: CWE-1188 Initialization of a Resource with an Insecure Default in brstefanovic Advanced Country Blocker
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.