CVE-2025-68140 is an authorization bypass vulnerability classified under CWE-863 found in the everest-core component of the EVerest EV charging software stack. The vulnerability stems from improper session ID validation logic. Specifically, after verifying the validity of a received Vehicle-to-Grid (V2G) message, the software checks if the submitted session ID matches the registered session ID. However, if no session has been registered yet, the system defaults the registered session ID to 0. Consequently, any message submitted with a session ID of 0 is accepted as valid, effectively bypassing authorization controls. This flaw allows an attacker to anonymously and indirectly emit MQTT messages and interact with V2G message handlers, enabling unauthorized updates to the session context. The vulnerability does not require authentication or user interaction but does require network access to the affected components. The impact is primarily on the integrity of session management, as unauthorized messages can alter session states. The vulnerability is present in all versions prior to 2025.9.0, which includes the default session ID logic. The vendor fixed the issue in version 2025.9.0 by correcting the session ID validation mechanism to prevent acceptance of messages with a session ID of 0 when no session is registered. No known exploits are reported in the wild as of the publication date. The CVSS v3.1 base score is 4.3 (medium), reflecting the limited impact on confidentiality and availability but acknowledging the integrity risk and ease of exploitation without privileges.

For European organizations operating EV charging infrastructure that relies on the EVerest everest-core software stack, this vulnerability poses a risk of unauthorized manipulation of charging sessions. Attackers could inject unauthorized MQTT messages or interact with V2G message handlers, potentially causing incorrect session updates or charging behaviors. While the vulnerability does not directly compromise confidentiality or availability, the integrity of session management is at risk, which could lead to billing inaccuracies, unauthorized energy usage, or disruption of charging operations. Given the increasing adoption of EVs and smart charging infrastructure across Europe, exploitation could undermine trust in EV charging services and cause operational challenges. The impact is more pronounced in environments where network segmentation is weak or where MQTT and V2G communication channels are exposed or insufficiently protected. Since no authentication is required, attackers with network access to the EV charging management systems could exploit this flaw, increasing the threat surface. However, the lack of known exploits in the wild suggests limited active exploitation currently.

1. Upgrade all affected EVerest everest-core installations to version 2025.9.0 or later, which contains the fix for this vulnerability. 2. Implement strict network segmentation and access controls to restrict access to MQTT brokers and V2G message handlers only to authorized systems and users. 3. Employ network-level authentication and encryption for MQTT communications to prevent unauthorized message injection. 4. Monitor MQTT traffic and V2G session updates for anomalous patterns that could indicate exploitation attempts, such as unexpected session ID 0 messages. 5. Conduct regular security audits and penetration testing focused on EV charging infrastructure to identify and remediate similar authorization weaknesses. 6. Establish incident response procedures specific to EV charging systems to quickly detect and respond to unauthorized session manipulations. 7. Collaborate with EV charging software vendors and industry groups to stay informed about emerging threats and patches.