CVE-2026-24003 identifies an improper authentication vulnerability (CWE-287) combined with a state machine logic flaw (CWE-863) in the everest-core component of the EVerest EV charging software stack. EVerest manages EV charging sessions using a modular design where authorization is handled separately from the EVSEManager Charger internal state machine. In affected versions (up to and including 2025.12.1), the internal state machine enforces a WaitingForAuthentication state that should prevent unauthorized state transitions during ISO 15118-2 communication. However, due to insufficient sequence state verification, an attacker can send crafted ISO 15118-2 messages via the MQTT server to bypass authentication checks and force the state machine to transition to forbidden states. This manipulation allows the system to prepare for charging and even prepare to send current to the electric vehicle. Despite this, the final physical action of closing contactors to deliver current cannot be performed without proper authentication and state transition, limiting the attack's impact. The vulnerability does not compromise confidentiality or availability but undermines the integrity of the charging session state, potentially leading to unauthorized charging preparations. No patches or fixed versions are available at the time of disclosure, and no active exploitation has been reported.

For European organizations operating EV charging infrastructure using EVerest everest-core, this vulnerability poses a risk to the integrity of charging session management. An attacker with network access to the MQTT server could manipulate charging states, potentially causing unauthorized charging preparations. While the inability to close contactors prevents actual unauthorized power delivery, the state manipulation could disrupt normal operations, cause billing inaccuracies, or enable further attacks if combined with other vulnerabilities. Given the increasing deployment of EV infrastructure across Europe, especially in countries aggressively promoting EV adoption, this vulnerability could affect critical transportation and energy sectors. The impact is primarily on operational integrity and trustworthiness of charging sessions rather than on data confidentiality or system availability.

Until a vendor patch is released, European operators should implement network segmentation and strict access controls to limit exposure of the MQTT server and ISO 15118-2 communication channels. Monitoring and anomaly detection should be enhanced to identify unusual state transitions or unauthorized ISO 15118-2 messages. Employing message authentication and encryption at the MQTT layer can reduce the risk of message spoofing. Operators should also review and harden the configuration of the EVSEManager and related modules to enforce stricter state validation. Collaboration with EVerest developers to obtain early patches or workarounds is recommended. Finally, physical safeguards ensuring that contactors cannot close without proper authentication should be verified and reinforced to prevent unauthorized current delivery.