Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2026-24003

Good to know:

icon

Date: January 26, 2026

EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current one, thereby updating the current context with illegitimate data.cThanks to the modular design of EVerest, authorization is handled in a separate module and EVSEManager Charger internal state machine cannot transition out of the "WaitingForAuthentication" state through ISO 15118-2 communication. From this state, it was however possible through ISO 15118-2 messages which are published to the MQTT server to trick it into preparing to charge, and even to prepare to send current. The final requirement to actually send current to the EV was the closure of the contactors, which does not appear to be possible without leaving the "WaitingForAuthentication" state and leveraging ISO 15118-2 messages. As of time of publication, no fixed versions are available.

Severity Score

Related Resources (4)

https://github.com/EVerest/everest-core/security/advisories/GHSA-9vv5-67cv-9crq
https://github.com/EVerest/everest-core/blob/main/modules/EVSE/EvseV2G/iso_server.cpp#L44
https://nvd.nist.gov/vuln/detail/CVE-2026-24003
https://www.mend.io/vulnerability-database/CVE-2026-24003

Severity Score

Weakness Type (CWE)

Improper Authentication

CWE-287

Incorrect Authorization

CWE-863

CVSS v3.1

Base Score:
Attack Vector (AV): ADJACENT_NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us