CVE-2025-68133
Published: 21 January 2026
Summary
CVE-2025-68133 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Linuxfoundation Everest. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2025-68133 is a denial-of-service vulnerability in EVerest, an open-source EV charging software stack. Affecting versions 2025.9.0 and below, the flaw allows an attacker to exhaust the host operating system's memory and terminate EVerest modules by establishing an unlimited number of plain TCP or TLS socket connections that do not advance to ISO 15118-2 communication. This occurs because a new thread is spawned for each incoming connection prior to any verification, and the existing verification mechanism is overly permissive, leading to uncontrolled resource consumption rated at CVSS 7.4 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and mapped to CWE-770 (Allocation of Resources Without Limits or Throttling).
An adjacent-network attacker (AV:A) with no privileges or user interaction required can exploit this by rapidly initiating TCP or TLS connections to the vulnerable EVerest instance. Successful exploitation causes all EVerest processes and modules to shut down, completely disrupting EVSE (Electric Vehicle Supply Equipment) functionality and rendering charging stations inoperable.
The EVerest project addressed this in version 2025.10.0, as detailed in the GitHub security advisory (GHSA-mv3w-pp85-5h7c) and related commits (8127b8c54b296c4dd01b356ac26763f81f76a8fd and de504f0c11069010d26767b0952739e9a400cef3), which implement proper connection limits and verification prior to thread creation. Security practitioners should upgrade to 2025.10.0 or later and monitor for unusual connection volumes on EVSE deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206325
Vulnerability details
EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's memory and cause the module to terminate by initiating an unlimited number of TCP connections that never proceed to ISO 15118-2…
more
communication. This is possible because a new thread is started for each incoming plain TCP or TLS socket connection before any verification occurs, and the verification performed is too permissive. The EVerest processes and all its modules shut down, affecting all EVSE functionality. This issue is fixed in version 2025.10.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct exploitation for application/OS resource exhaustion (unlimited unauthenticated connections spawning threads), matching T1499.004 Endpoint Denial of Service via software exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires mechanisms to protect against or limit the effects of denial-of-service attacks that exhaust memory via unbounded TCP/TLS connections before ISO 15118-2 verification.
Enforces limits on concurrent sessions/connections, preventing the unlimited plain TCP or TLS socket connections that spawn threads and exhaust resources in EVerest.
Requires protection of system resources against exhaustion attacks, directly addressing the uncontrolled thread creation and memory consumption prior to any verification.