CVE-2026-33015
Session Restart Bypass in EVerest EVSE via RemoteStop Flaw
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | everest | to 2026.02.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33015 is a vulnerability in the EVerest EV charging software stack where the remote stop command (StopTransaction) issued by the Central System Management System (CSMS) can be bypassed. After a remote stop is performed, the Electric Vehicle Supply Equipment (EVSE) can be restarted by toggling the Basic Control Pilot (BCB) signal from the Electric Vehicle (EV), causing the charging session to resume.
This happens because the software does not immediately mark the charging transaction as inactive after the remote stop command. While the system is in the process of stopping charging, it still allows a return to the charging preparation state if a BCB toggle is detected, effectively restarting the session. This breaks the intended irreversibility of the remote stop command.
The root cause is that the function handling transaction cancellation delays clearing the active transaction flag, and the state machine logic permits session restart during this delay. This flaw can lead to bypassing operational, billing, and safety controls.
How can this vulnerability impact me? :
This vulnerability can have several impacts:
- Bypassing remote stop commands allows unauthorized restarting of charging sessions.
- It can facilitate energy theft or billing circumvention by resuming sessions that should have been stopped.
- It may cause failure of emergency stop functionality, posing safety risks.
- Operational and safety controls can be bypassed, potentially leading to unsafe or unauthorized charging behavior.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the EVSE allowing a charging session to restart after a RemoteStop command due to a BCB toggle. Detection involves monitoring the EVSE state transitions and the BCB signal behavior.
Specifically, you can check if after issuing a RemoteStop (StopTransaction) command, the EVSE state returns to PrepareCharging upon a BCB toggle, which should not happen.
Since this is a physical-layer and state-machine issue, network commands alone may not fully detect it, but you can monitor logs or EVSE state changes related to StopTransaction commands and subsequent BCB toggles.
Suggested approach includes:
- Issue a RemoteStop (StopTransaction) command via the CSMS interface.
- Monitor EVSE logs or state machine outputs for the transition to StoppingCharging state.
- Physically toggle the BCB signal on the EV side and observe if the EVSE state returns to PrepareCharging.
- Check if the transaction_active flag remains true after RemoteStop, which indicates the vulnerability.
No specific command-line commands are provided in the resources, but monitoring the EVSE logs and state transitions around StopTransaction and BCB toggles is key.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the everest-core EVSE software to version 2026.02.0 or later, where the patch for this vulnerability has been applied.
This patch ensures that the transaction_active flag is cleared immediately upon RemoteStop, preventing the EVSE from returning to PrepareCharging state after a BCB toggle.
Until the upgrade is applied, physical controls or monitoring should be used to prevent unauthorized BCB toggling that could restart charging sessions.
Additionally, reviewing and tightening operational procedures to detect and respond to unexpected session restarts can help mitigate risks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows bypassing the irreversibility of remote stop commands in EV charging sessions, potentially enabling unauthorized session restarts and misuse such as energy theft or billing circumvention.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to bypass operational, billing, and safety controls could lead to violations of regulations related to data integrity, billing accuracy, and operational safety.
Specifically, the integrity impact (high) indicates unauthorized modification of charging session state, which could affect compliance with standards requiring accurate and tamper-proof billing and operational records.