CVE-2025-68133— EVerest's unlimited connections can lead to DoS through operating system resource exhaustion
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-68133
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
EVerest's unlimited connections can lead to DoS through operating system resource exhaustion
Source: NVD (National Vulnerability Database)
Vulnerability Description
EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's memory and cause the module to terminate by initiating an unlimited number of TCP connections that never proceed to ISO 15118-2 communication. This is possible because a new thread is started for each incoming plain TCP or TLS socket connection before any verification occurs, and the verification performed is too permissive. The EVerest processes and all its modules shut down, affecting all EVSE functionality. This issue is fixed in version 2025.10.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)
Vulnerability Title
everest-core 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
everest-core是EVerest开源的一个电动汽车充电软件堆栈的主要部分。 everest-core 2025.10.0之前版本存在安全漏洞,该漏洞源于攻击者可通过发起无限数量的TCP连接来耗尽操作系统内存,可能导致模块终止。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| EVerest | everest-core | < 2025.10.0 | - |
II. Public POCs for CVE-2025-68133
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-68133
请登录查看更多情报信息。
Same Patch Batch · EVerest · 2026-01-21 · 11 CVEs total
| CVE-2025-68137 | 8.4 HIGH | EVerest's Integer Overflow and Signed to Unsigned conversion lead to either stack buffer o |
| CVE-2025-68134 | 7.4 HIGH | EVerest's use of assert functions can potentially lead to denial of service |
| CVE-2025-68136 | 7.4 HIGH | EVerest's inadequate session handling can lead to memory-related errors or exhaustion of t |
| CVE-2025-68141 | 7.4 HIGH | EVerest vulnerable to null pointer dereference during DC_ChargeLoopRes document deserializ |
| CVE-2025-68135 | 6.5 MEDIUM | EVerest's inadequate exception handling leads to denial of service |
| CVE-2025-68138 | 4.7 MEDIUM | EVerest affected by memory exhaustion in libocpp |
| CVE-2025-68139 | 4.3 MEDIUM | In EVerest, by default, the EV is responsible for closing the connection if the module enc |
| CVE-2025-68140 | 4.3 MEDIUM | EVerest allows null session ID to bypass session ID verification |
| CVE-2026-23955 | 4.2 MEDIUM | EVerest vulnerable to concatenation of strings literal and integers |
| CVE-2025-68132 | EVerest has out-of-bounds read in DZG_GSH01 SLIP CRC parser that can crash powermeter driv |
IV. Related Vulnerabilities
Same product: everest-core
- CVE-2026-33015
EVerest has RemoteStop Bypass via BCB Toggle Session Restart - CVE-2026-33014
EVerest has Delayed Authorization Response Bypasses Terminat - CVE-2026-33009
EVerest: MQTT Switch-Phases Command Data Race Causing Charge - CVE-2026-29044
EVerest: Charging Continues When WithdrawAuthorization Is Pr - CVE-2026-27828
EVerest: ISO15118 session_setup use-after-free can crash EVS
Same vendor: EVerest
- CVE-2026-33015
EVerest has RemoteStop Bypass via BCB Toggle Session Restart - CVE-2026-33014
EVerest has Delayed Authorization Response Bypasses Terminat - CVE-2026-33009
EVerest: MQTT Switch-Phases Command Data Race Causing Charge - CVE-2026-29044
EVerest: Charging Continues When WithdrawAuthorization Is Pr - CVE-2026-27828
EVerest: ISO15118 session_setup use-after-free can crash EVS
Same weakness: CWE-770
- CVE-2026-42294
Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in W - CVE-2026-42189
Russh: Pre-auth DoS via unbounded allocation in keyboard-int - CVE-2026-42793
Atom table exhaustion via attacker-controlled GraphQL SDL na - CVE-2026-44499
ZEBRA: Permanent Block Discovery Halt via Gossip Queue Satur - CVE-2026-44500
ZEBRA: Allocation Amplification in Inbound Network Deseriali
V. Comments for CVE-2025-68133
No comments yet