CVE-2026-33014 is an authorization bypass vulnerability classified under CWE-863 found in the everest-core component of the EVerest EV charging software stack. The issue arises during the RemoteStop command processing, where a delayed authorization response erroneously restores the 'authorized' flag to true after it was set to false to stop a charging transaction. This logic flaw defeats the stop_transaction() call condition triggered by PowerOff events, allowing the charging session to remain open and continue despite a remote stop request. The vulnerability affects all versions prior to 2026.02.0, which includes the patch. The CVSS v3.1 score is 5.2 (medium), reflecting that the attack vector is network-based (AV:P), requires no privileges (PR:N), no user interaction (UI:N), and impacts integrity and availability but not confidentiality. The flaw could lead to unauthorized energy consumption and billing errors, undermining trust in EV charging operations. No known exploits are currently reported in the wild. The vulnerability highlights the importance of robust authorization state management in remote command processing within EV charging infrastructure software.

This vulnerability can lead to unauthorized continuation of EV charging sessions after a remote stop command, potentially causing financial losses due to incorrect billing and energy consumption. It undermines the integrity of transaction management and could disrupt availability by preventing proper session termination. For operators and service providers, this may result in customer dissatisfaction, regulatory scrutiny, and reputational damage. In large-scale deployments, the flaw could be exploited to cause widespread billing inaccuracies or denial of service by keeping charging points occupied. Although it does not expose confidential data, the integrity and availability impacts are significant in the context of critical EV infrastructure. The medium CVSS score reflects moderate risk, but the growing reliance on EV charging networks elevates the threat's operational importance.

Organizations should immediately upgrade to EVerest everest-core version 2026.02.0 or later, which contains the patch addressing this authorization flaw. Until the update is applied, operators should implement additional monitoring of transaction states to detect anomalies where stop commands do not result in session termination. Network segmentation and strict access controls can limit exposure to the vulnerable RemoteStop processing interface. Logging and alerting on authorization state changes during charging sessions can help identify exploitation attempts. Additionally, conducting thorough testing of remote command handling logic in EV charging software is recommended to prevent similar authorization issues. Vendors should consider implementing stronger state validation and timeout mechanisms to handle delayed authorization responses safely.