EUVD-2026-16201
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have an out-of-bounds access (std::vector) that leads to possible remote crash/memory corruption. This is because the CSMS sends UpdateAllowedEnergyTransferModes over the network. Version 2026.2.0 contains a patch.
Analysis
Out-of-bounds vector access in EVerest EV charging software (everest-core versions before 2026.02.0) enables remote unauthenticated attackers to crash the charging station software or corrupt memory by sending crafted UpdateAllowedEnergyTransferModes messages from a Charging Station Management System (CSMS). CVSS 7.5 severity reflects network-accessible denial of service with high availability impact. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all EVerest deployments and confirm versions in use; document business-critical charging stations and failover capacity. Within 7 days: Implement network segmentation to restrict CSMS-to-charging-station communication to trusted management systems only; deploy ingress filtering to block unexpected UpdateAllowedEnergyTransferModes messages if technically feasible. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today