CVE-2025-68140 is an authorization bypass vulnerability classified under CWE-863 affecting the everest-core component of the EVerest EV charging software stack. The vulnerability stems from the handling of session IDs in V2G (Vehicle-to-Grid) communication messages. When a V2G message is received, the software verifies its validity and then checks if the submitted session ID matches the registered session ID. However, if no session has been registered yet, the system defaults the registered session ID to 0. Consequently, any message submitted with a session ID of 0 is accepted as valid, even if the sender is unauthorized and anonymous. This flaw allows an attacker to indirectly emit MQTT messages and interact with V2G message handlers, potentially updating the session context without proper authorization. This could lead to unauthorized manipulation of EV charging sessions, affecting the integrity of the charging process. The vulnerability requires no privileges or user interaction and can be exploited remotely over the network (AV:A - adjacent network). The issue was fixed in version 2025.9.0 by presumably changing the session ID validation logic to prevent acceptance of default or unregistered session IDs. No known exploits have been reported in the wild as of the publication date. The CVSS 3.1 base score of 4.3 reflects a medium severity, primarily due to the integrity impact and ease of exploitation without authentication.

For European organizations operating EV charging infrastructure using EVerest everest-core versions prior to 2025.9.0, this vulnerability poses a risk to the integrity of EV charging sessions. Unauthorized actors could send forged V2G messages with a session ID of 0, causing unauthorized updates to session contexts and potentially disrupting or manipulating charging operations. This could undermine trust in EV charging services, cause operational disruptions, or enable further attacks on the EV infrastructure ecosystem. While confidentiality and availability impacts are minimal, the integrity compromise could affect billing accuracy, session management, and operational control. Given Europe's strong push for EV adoption and smart grid integration, such vulnerabilities could have cascading effects on energy management and EV user experience. The lack of required authentication and user interaction increases the risk of exploitation, especially in environments where network segmentation or additional security controls are insufficient.

European organizations should immediately upgrade EVerest everest-core to version 2025.9.0 or later, where the session ID validation logic has been corrected. Until upgrades can be applied, network-level mitigations should be enforced, including strict segmentation of EV charging infrastructure networks to limit access to trusted devices only. Implement monitoring and anomaly detection for unusual MQTT or V2G message patterns, especially messages with session ID 0. Employ strong authentication and authorization controls on MQTT brokers and V2G message handlers to prevent unauthorized message injection. Conduct regular security audits and penetration testing focused on EV charging software stacks. Collaborate with vendors to ensure timely patch deployment and verify the integrity of software updates. Additionally, consider deploying application-layer firewalls or message validation proxies that can enforce stricter session ID checks and reject messages with default or invalid session IDs.