CVE-2025-68140

EPSS 0.04%
Veröffentlicht 21.01.2026 19:54:51
Zuletzt bearbeitet 06.02.2026 21:22:06
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. However, if no session has been registered, the default value is 0. Therefore, a message submitted with a session ID of 0 is accepted, as it matches the registered value. This could allow unauthorized and anonymous indirect emission of MQTT messages and communication with V2G messages handlers, updating a session context. Version 2025.9.0 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linuxfoundation ≫ Everest Version < 2025.9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.123

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/EVerest/everest-core/security/advisories/GHSA-w385-3jwp-x47x

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-68140

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-68140

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-68140

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-68140