CVE-2025-68141 is a vulnerability classified under CWE-476 (NULL Pointer Dereference) affecting the everest-core component of the EVerest EV charging software stack. The flaw exists in versions prior to 2025.10.0 during the deserialization process of DC_ChargeLoopRes messages that include Receipt and TaxCosts data. Specifically, the vulnerability occurs in the template specialization method convert(const struct iso20_dc_DetailedTaxType& in, datatypes::DetailedTax& out), where the vector tax_costs within the Receipt structure is accessed out of bounds. This improper access leads to a null pointer dereference, causing the affected module to terminate unexpectedly. Since EVerest processes and all its modules shut down upon this failure, the entire EVSE (Electric Vehicle Supply Equipment) managed by the software becomes non-operational, resulting in a denial of service condition. The vulnerability has a CVSS 3.1 base score of 7.4, indicating high severity, with an attack vector of adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C). The impact affects availability (A:H) but does not compromise confidentiality or integrity. No known exploits are currently reported in the wild. The issue is resolved in version 2025.10.0 of the EVerest software stack.

For European organizations operating EV charging infrastructure using the EVerest everest-core software, this vulnerability poses a significant risk of service disruption. The null pointer dereference causes the charging software modules to crash and shut down, leading to unavailability of EV charging stations. This can impact EV drivers, fleet operators, and public charging networks, potentially causing operational delays and customer dissatisfaction. Given the increasing reliance on EV infrastructure in Europe to meet climate goals, such outages could have broader economic and reputational consequences. Additionally, the vulnerability does not require authentication or user interaction, increasing the risk of remote exploitation by attackers with network access to the charging infrastructure. While confidentiality and integrity are not directly impacted, the availability loss could disrupt critical transportation services and undermine trust in EV infrastructure providers.

1. Immediate upgrade to EVerest everest-core version 2025.10.0 or later to apply the official fix. 2. Implement strict input validation and sanity checks on deserialized data structures, especially vectors like tax_costs, to prevent out-of-bounds access. 3. Employ network segmentation and firewall rules to restrict access to EVSE management interfaces and limit exposure to adjacent network attackers. 4. Monitor EVSE software logs for unexpected crashes or restarts indicative of exploitation attempts. 5. Develop incident response plans specific to EV infrastructure outages to minimize downtime. 6. Collaborate with EVerest vendors for timely security updates and vulnerability disclosures. 7. Consider deploying runtime protections such as memory safety tools or application-level watchdogs to detect and recover from null pointer dereferences.