CVE-2026-33015
Received Received - Intake
Session Restart Bypass in EVerest EVSE via RemoteStop Flaw

Publication date: 2026-03-26

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
EVerest is an EV charging software stack. Prior to version 2026.02.0, even immediately after CSMS performs a RemoteStop (StopTransaction), the EVSE can return to `PrepareCharging` via the EV's BCB toggle, allowing session restart. This breaks the irreversibility of remote stop and can bypass operational/billing/safety controls. Version 2026.02.0 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33015
EUVD
EUVD-2026-16254
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation everest to 2026.02.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33015 is a vulnerability in the EVerest EV charging software stack where the remote stop command (StopTransaction) issued by the Central System Management System (CSMS) can be bypassed. After a remote stop is performed, the Electric Vehicle Supply Equipment (EVSE) can be restarted by toggling the Basic Control Pilot (BCB) signal from the Electric Vehicle (EV), causing the charging session to resume.

This happens because the software does not immediately mark the charging transaction as inactive after the remote stop command. While the system is in the process of stopping charging, it still allows a return to the charging preparation state if a BCB toggle is detected, effectively restarting the session. This breaks the intended irreversibility of the remote stop command.

The root cause is that the function handling transaction cancellation delays clearing the active transaction flag, and the state machine logic permits session restart during this delay. This flaw can lead to bypassing operational, billing, and safety controls.

Impact Analysis

This vulnerability can have several impacts:

  • Bypassing remote stop commands allows unauthorized restarting of charging sessions.
  • It can facilitate energy theft or billing circumvention by resuming sessions that should have been stopped.
  • It may cause failure of emergency stop functionality, posing safety risks.
  • Operational and safety controls can be bypassed, potentially leading to unsafe or unauthorized charging behavior.
Detection Guidance

This vulnerability involves the EVSE allowing a charging session to restart after a RemoteStop command due to a BCB toggle. Detection involves monitoring the EVSE state transitions and the BCB signal behavior.

Specifically, you can check if after issuing a RemoteStop (StopTransaction) command, the EVSE state returns to PrepareCharging upon a BCB toggle, which should not happen.

Since this is a physical-layer and state-machine issue, network commands alone may not fully detect it, but you can monitor logs or EVSE state changes related to StopTransaction commands and subsequent BCB toggles.

Suggested approach includes:

  • Issue a RemoteStop (StopTransaction) command via the CSMS interface.
  • Monitor EVSE logs or state machine outputs for the transition to StoppingCharging state.
  • Physically toggle the BCB signal on the EV side and observe if the EVSE state returns to PrepareCharging.
  • Check if the transaction_active flag remains true after RemoteStop, which indicates the vulnerability.

No specific command-line commands are provided in the resources, but monitoring the EVSE logs and state transitions around StopTransaction and BCB toggles is key.

Mitigation Strategies

The primary mitigation is to upgrade the everest-core EVSE software to version 2026.02.0 or later, where the patch for this vulnerability has been applied.

This patch ensures that the transaction_active flag is cleared immediately upon RemoteStop, preventing the EVSE from returning to PrepareCharging state after a BCB toggle.

Until the upgrade is applied, physical controls or monitoring should be used to prevent unauthorized BCB toggling that could restart charging sessions.

Additionally, reviewing and tightening operational procedures to detect and respond to unexpected session restarts can help mitigate risks.

Compliance Impact

The vulnerability allows bypassing the irreversibility of remote stop commands in EV charging sessions, potentially enabling unauthorized session restarts and misuse such as energy theft or billing circumvention.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to bypass operational, billing, and safety controls could lead to violations of regulations related to data integrity, billing accuracy, and operational safety.

Specifically, the integrity impact (high) indicates unauthorized modification of charging session state, which could affect compliance with standards requiring accurate and tamper-proof billing and operational records.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33015. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart