CVE-2025-68141

Summary

EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a DC_ChargeLoopRes message that includes Receipt as well as TaxCosts, the vector <DetailedTax>tax_costs in the target Receipt structure is accessed out of bounds. This occurs in the method template <> void convert(const struct iso20_dc_DetailedTaxType& in, datatypes::DetailedTax& out) which leads to a null pointer dereference and causes the module to terminate. The EVerest processes and all its modules shut down, affecting all EVSE. Version 2025.10.0 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
EVeresteverest-core< 2025.10.0affected

Weaknesses

  • CWE-476: CWE-476: NULL Pointer Dereference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References