CVE-2025-68133
Published: 21 January 2026
Summary
CVE-2025-68133 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Linuxfoundation Everest. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct exploitation for application/OS resource exhaustion (unlimited unauthenticated connections spawning threads), matching T1499.004 Endpoint Denial of Service via software exploitation.
NVD Description
EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's memory and cause the module to terminate by initiating an unlimited number of TCP connections that never proceed to ISO 15118-2…
more
communication. This is possible because a new thread is started for each incoming plain TCP or TLS socket connection before any verification occurs, and the verification performed is too permissive. The EVerest processes and all its modules shut down, affecting all EVSE functionality. This issue is fixed in version 2025.10.0.
Deeper analysisAI
CVE-2025-68133 is a denial-of-service vulnerability in EVerest, an open-source EV charging software stack. Affecting versions 2025.9.0 and below, the flaw allows an attacker to exhaust the host operating system's memory and terminate EVerest modules by establishing an unlimited number of plain TCP or TLS socket connections that do not advance to ISO 15118-2 communication. This occurs because a new thread is spawned for each incoming connection prior to any verification, and the existing verification mechanism is overly permissive, leading to uncontrolled resource consumption rated at CVSS 7.4 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and mapped to CWE-770 (Allocation of Resources Without Limits or Throttling).
An adjacent-network attacker (AV:A) with no privileges or user interaction required can exploit this by rapidly initiating TCP or TLS connections to the vulnerable EVerest instance. Successful exploitation causes all EVerest processes and modules to shut down, completely disrupting EVSE (Electric Vehicle Supply Equipment) functionality and rendering charging stations inoperable.
The EVerest project addressed this in version 2025.10.0, as detailed in the GitHub security advisory (GHSA-mv3w-pp85-5h7c) and related commits (8127b8c54b296c4dd01b356ac26763f81f76a8fd and de504f0c11069010d26767b0952739e9a400cef3), which implement proper connection limits and verification prior to thread creation. Security practitioners should upgrade to 2025.10.0 or later and monitor for unusual connection volumes on EVSE deployments.
Details
- CWE(s)