CVE-2026-33015 MEDIUM

CVE-2026-33015: EVerest has RemoteStop Bypass via BCB Toggle Session Restart

Vendor Everest
Product everest-core
Weakness CWE-863 · Incorrect authorization
Published March 26, 2026
Last update March 26, 2026

CVSS base score

5.2/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

EVerest is an EV charging software stack. Prior to version 2026.02.0, even immediately after CSMS performs a RemoteStop (StopTransaction), the EVSE can return to `PrepareCharging` via the EV's BCB toggle, allowing session restart. This breaks the irreversibility of remote stop and can bypass operational/billing/safety controls. Version 2026.02.0 contains a patch.

Key dates

02Disclosure timeline

March 26, 2026 CVE published
March 26, 2026 Record updated