FKIE_CVE-2025-68139

Vulnerability from fkie_nvd - Published: 2026-01-21 20:16 - Updated: 2026-02-06 21:22
Severity ?
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminate_connection_on_failed_response` is `False`, which leaves the responsibility for session and connection termination to the EV. In this configuration, any errors encountered by the module are logged but do not trigger countermeasures such as session and connection reset or termination. This could be abused by a malicious user in order to exploit other weaknesses or vulnerabilities. While the default will stay at the setting that is described as potentially problematic in this reported issue, a mitigation is available by changing the `terminate_connection_on_failed_response` setting to `true`. However this cannot be set to this value by default since it can trigger errors in vehicle ECUs requiring ECU resets and lengthy unavailability in charging for vehicles. The maintainers judge this to be a much more important workaround then short-term unavailability of an EVSE, therefore this setting will stay at the current value.
References
security-advisories@github.comhttps://github.com/EVerest/everest-core/security/advisories/GHSA-wqh4-pj54-6xv9Vendor Advisory
Impacted products
Vendor Product Version
linuxfoundation everest *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C2054B5F-AED8-4768-8D31-2B05D3CF67EC",
              "versionEndIncluding": "2025.12.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminate_connection_on_failed_response` is `False`, which leaves the responsibility for session and connection termination to the EV. In this configuration, any errors encountered by the module are logged but do not trigger countermeasures such as session and connection reset or termination. This could be abused by a malicious user in order to exploit other weaknesses or vulnerabilities. While the default will stay at the setting that is described as potentially problematic in this reported issue, a mitigation is available by changing the `terminate_connection_on_failed_response`  setting to `true`. However this cannot be set to this value by default since it can trigger errors in vehicle ECUs requiring ECU resets and lengthy unavailability in charging for vehicles. The maintainers judge this to be a much more important workaround then short-term unavailability of an EVSE, therefore this setting will stay at the current value."
    },
    {
      "lang": "es",
      "value": "EVerest es una pila de software de carga de veh\u00edculos el\u00e9ctricos. En todas las versiones hasta la 2025.12.1 inclusive, el valor predeterminado para `terminate_connection_on_failed_response` es `False`, lo que deja la responsabilidad de la terminaci\u00f3n de la sesi\u00f3n y la conexi\u00f3n al veh\u00edculo el\u00e9ctrico. En esta configuraci\u00f3n, cualquier error encontrado por el m\u00f3dulo se registra pero no activa contramedidas como el restablecimiento o la terminaci\u00f3n de la sesi\u00f3n y la conexi\u00f3n. Esto podr\u00eda ser abusado por un usuario malintencionado para explotar otras debilidades o vulnerabilidades. Aunque el valor predeterminado se mantendr\u00e1 en la configuraci\u00f3n que se describe como potencialmente problem\u00e1tica en este problema reportado, una mitigaci\u00f3n est\u00e1 disponible cambiando la configuraci\u00f3n de `terminate_connection_on_failed_response` a `true`. Sin embargo, esto no puede establecerse a este valor por defecto ya que puede desencadenar errores en las ECUs de los veh\u00edculos, requiriendo restablecimientos de la ECU y una prolongada indisponibilidad en la carga para los veh\u00edculos. Los mantenedores juzgan que esta es una soluci\u00f3n alternativa mucho m\u00e1s importante que la indisponibilidad a corto plazo de un EVSE, por lo tanto, esta configuraci\u00f3n se mantendr\u00e1 en el valor actual."
    }
  ],
  "id": "CVE-2025-68139",
  "lastModified": "2026-02-06T21:22:10.130",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-21T20:16:06.167",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/EVerest/everest-core/security/advisories/GHSA-wqh4-pj54-6xv9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-384"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.