CVE-2025-68133 HIGH

CVE-2025-68133: EVerest's unlimited connections can lead to DoS through operating system resource exhaustion

Vendor Everest
Product everest-core
Weakness CWE-770 · Uncontrolled resource consumption
Published January 21, 2026
Last update January 21, 2026

CVSS base score

7.4/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's memory and cause the module to terminate by initiating an unlimited number of TCP connections that never proceed to ISO 15118-2 communication. This is possible because a new thread is started for each incoming plain TCP or TLS socket connection before any verification occurs, and the verification performed is too permissive. The EVerest processes and all its modules shut down, affecting all EVSE functionality. This issue is fixed in version 2025.10.0.

Key dates

02Disclosure timeline

January 21, 2026 CVE published
January 21, 2026 Record updated