CVE-2026-33015

# Conceptual Proof of Concept for CVE-2026-33015 # This script simulates the logic flaw where a physical BCB toggle bypasses the RemoteStop command. class EVerestCharger: def __init__(self): self.state = 'Idle' self.is_stopped_by_csms = False def remote_stop(self): # Simulate CSMS sending a RemoteStop command print("[*] CSMS sends RemoteStop command.") self.state = 'Stopped' self.is_stopped_by_csms = True print(f"[*] Current State: {self.state}") def physical_bcb_toggle(self): # Simulate attacker physically toggling the BCB (Battery Circuit Breaker) print("[!] Attacker physically toggles the EV BCB.") # Vulnerability Logic: The system does not check is_stopped_by_csms flag # when reacting to physical BCB changes. if self.state == 'Stopped': print("[+] Vulnerability Triggered: State transitions to PrepareCharging") self.state = 'PrepareCharging' return True return False def exploit(): charger = EVerestCharger() # 1. Normal remote stop operation charger.remote_stop() # 2. Attacker exploits the flaw via physical access success = charger.physical_bcb_toggle() if success: print("[!] Exploit Successful: Charging session restarted despite RemoteStop.") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-33015", "sourceIdentifier": "[email protected]", "published": "2026-03-26T17:16:38.130", "lastModified": "2026-03-31T14:20:51.050", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Prior to version 2026.02.0, even immediately after CSMS performs a RemoteStop (StopTransaction), the EVSE can return to `PrepareCharging` via the EV's BCB toggle, allowing session restart. This breaks the irreversibility of remote stop and can bypass operational/billing/safety controls. Version 2026.02.0 contains a patch."}, {"lang": "es", "value": "EVerest es una pila de software de carga de vehículos eléctricos. Antes de la versión 2026.02.0, incluso inmediatamente después de que el CSMS realice un RemoteStop (StopTransaction), el EVSE puede volver a 'PrepareCharging' a través del interruptor BCB del VE, permitiendo el reinicio de la sesión. Esto rompe la irreversibilidad de la parada remota y puede eludir los controles operativos/de facturación/de seguridad. La versión 2026.02.0 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "baseScore": 5.2, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026.02.0", "matchCriteriaId": "EB167E67-6808-4F7B-9505-FFF0C02B288C"}]}]}], "references": [{"url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-pw9q-2287-cchc", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-pw9q-2287-cchc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}