CVE-2026-33015 is an authorization bypass vulnerability classified under CWE-863 (Incorrect Authorization) affecting the everest-core component of the EVerest EV charging software stack. EVerest manages electric vehicle charging sessions, including remote control commands from the CSMS. Prior to version 2026.02.0, when the CSMS issues a RemoteStop command (StopTransaction) to terminate a charging session, the EVSE is expected to irreversibly stop the session to enforce operational, billing, and safety policies. However, due to improper authorization checks, the EVSE can revert to the PrepareCharging state triggered by the EV's BCB (Battery Control Box) toggle. This allows the charging session to restart without CSMS consent, effectively bypassing the remote stop command. The vulnerability compromises the integrity of session control, undermining billing accuracy and safety mechanisms designed to prevent unauthorized or unsafe charging. The CVSS 3.1 vector (AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) indicates the attack requires physical proximity (local network or direct EVSE access), has low complexity, no privileges or user interaction, and impacts integrity and availability moderately. No public exploits have been reported, but the flaw poses a risk to EV charging infrastructure reliability and trustworthiness. The vendor patched the issue in version 2026.02.0, correcting the authorization logic to enforce irreversible session termination upon RemoteStop commands.

This vulnerability can lead to unauthorized restarting of EV charging sessions after a remote stop command, which can have several negative consequences for organizations operating EV charging infrastructure. Operationally, it undermines the control CSMS has over charging sessions, potentially allowing users or attackers to bypass session termination. This can result in inaccurate billing, as sessions may continue without proper authorization or accounting. From a safety perspective, the ability to restart charging without CSMS approval could lead to unsafe charging conditions or violate regulatory requirements. The integrity of session management is compromised, which may erode trust in the charging infrastructure. While the attack requires local or physical access to the EVSE or EV, the widespread deployment of EV charging stations increases the attack surface. Organizations relying on affected versions risk financial losses, regulatory penalties, and reputational damage if this vulnerability is exploited. The lack of confidentiality impact limits data exposure risks, but the integrity and availability impacts are significant for critical EV charging operations.

Organizations should immediately upgrade all EVerest everest-core deployments to version 2026.02.0 or later, where the authorization flaw has been patched. Until upgrades are complete, physical and network access to EVSE devices should be tightly controlled to prevent unauthorized toggling of the EV's BCB. Implement network segmentation and access controls to restrict EVSE management interfaces to trusted personnel and systems only. Monitor EVSE logs and charging session states for anomalous PrepareCharging transitions following RemoteStop commands, which may indicate exploitation attempts. Incorporate multi-factor authentication and role-based access controls in CSMS and EVSE management systems to reduce risk of unauthorized commands. Conduct regular security audits and penetration testing focused on EVSE session management logic. Coordinate with EVSE manufacturers and vendors to ensure timely patch deployment and verify firmware integrity. Finally, update incident response plans to include scenarios involving EV charging session manipulation.