CVE-2026-33009 is a concurrency vulnerability classified under CWE-362 (Race Condition) affecting the EVerest everest-core software, an EV charging software stack. Versions before 2026.02.0 contain a data race triggered by MQTT messages sent to the topic everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging. This message causes concurrent, unsynchronized access to shared data structures within the Charger class, specifically shared_context and internal_context, leading to undefined behavior in C++ such as memory corruption. The root cause is the lack of proper locking mechanisms around these shared resources during concurrent execution. The vulnerability can be exploited remotely without authentication or user interaction, as the MQTT interface is network-accessible. The impact includes potential denial of service due to crashes or corrupted internal state, and integrity loss in charging operations. The vendor released a patch in version 2026.02.0 that introduces proper synchronization to eliminate the race condition. No public exploits or active attacks have been reported to date, but the high CVSS score of 8.2 reflects the ease of exploitation and significant impact on availability and integrity.

This vulnerability can severely disrupt EV charging operations by causing crashes or unpredictable behavior in charging stations running vulnerable versions of everest-core. The resulting denial of service can lead to unavailability of charging services, impacting EV users and operators. Memory corruption could also be leveraged to manipulate charging parameters, potentially causing safety risks or financial losses. Given the increasing reliance on EV infrastructure worldwide, such disruptions could affect critical transportation and energy sectors. Organizations operating EV charging networks may face operational downtime, reputational damage, and increased incident response costs. The lack of authentication requirements and network accessibility of the MQTT interface increase the attack surface, allowing remote attackers to exploit the flaw without prior access. Although no exploits are known in the wild, the vulnerability's characteristics make it a significant risk for EV infrastructure providers.

1. Immediately upgrade all affected EVerest everest-core instances to version 2026.02.0 or later, which contains the patch addressing this race condition. 2. If immediate upgrade is not feasible, implement network-level controls to restrict access to the MQTT topic everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging, limiting it to trusted sources only. 3. Monitor MQTT traffic for unusual or unauthorized messages targeting the vulnerable topic to detect potential exploitation attempts. 4. Employ runtime application self-protection (RASP) or memory safety tools to detect and prevent memory corruption during operation. 5. Conduct thorough testing of charging station software to ensure no residual concurrency issues remain. 6. Engage with the vendor for any additional security advisories or patches. 7. Develop incident response plans specific to EV infrastructure to quickly address potential disruptions caused by such vulnerabilities.