CVE-2026-24003 is an improper authentication vulnerability (CWE-287) in the everest-core component of the EVerest EV charging software stack, affecting versions up to and including 2025.12.1. The vulnerability arises from the ability to bypass sequence state verification and authentication mechanisms within the EVSEManager Charger internal state machine. Normally, authorization is handled by a separate module, and the state machine prevents transitioning out of the WaitingForAuthentication state via ISO 15118-2 communication, which is a protocol standard for EV charging communication. However, due to the modular design and the way ISO 15118-2 messages are published to the MQTT server, an attacker can send crafted messages that cause the system to prepare for charging and even prepare to send current without proper authentication. This means the internal context can be updated with illegitimate data, potentially leading to unauthorized charging operations. The final step to actually send current requires closing contactors, which the attacker cannot trigger without leaving the WaitingForAuthentication state, thus limiting the exploitability. No patches or fixed versions are available at the time of disclosure, and no known exploits have been reported in the wild. The CVSS v3.1 score is 4.3 (medium), reflecting the limited impact on integrity without affecting confidentiality or availability, and the requirement for network access but no privileges or user interaction.

For European organizations, this vulnerability poses a risk to the integrity of EV charging operations, potentially allowing unauthorized manipulation of charging states and preparation to deliver current. While the inability to close contactors without proper authentication limits the risk of actual unauthorized power delivery, attackers could still disrupt charging workflows or cause billing inaccuracies. This could undermine trust in EV infrastructure, lead to financial losses, and complicate operational management. Given the increasing adoption of electric vehicles and expansion of charging infrastructure across Europe, especially in countries with aggressive EV policies, the vulnerability could affect charging station operators, utilities, and service providers. Additionally, attackers exploiting this flaw might use it as a foothold for further attacks on connected infrastructure, especially where MQTT servers are exposed or insufficiently secured. The lack of patches increases exposure time, necessitating immediate compensating controls.

European organizations should implement strict network segmentation to isolate EV charging infrastructure and MQTT servers from untrusted networks, minimizing exposure to remote attackers. Deploy deep packet inspection and anomaly detection on MQTT traffic to identify and block malformed or unauthorized ISO 15118-2 messages that attempt to bypass authentication. Enforce strong access controls and authentication on MQTT brokers to prevent unauthorized publishing of messages. Monitor logs and charging state transitions for unusual patterns indicative of attempted exploitation. Collaborate with EVerest vendors to prioritize patch development and apply updates promptly once available. Consider deploying additional application-layer authentication or message integrity verification mechanisms at the MQTT communication layer to supplement the existing authorization module. Finally, conduct regular security assessments of EV charging infrastructure and related communication protocols to identify and remediate emerging threats.