Authors Sebastien Rolland, Philippe Azalbert
Category Automotive
Tags audit, OSTIF, software, automotive, EV charger, ISO-15118D20, OCPP, 2026
Quarkslab performed the first public security audit of EVerest, an open-source project for EV charging stations hosted by LF Energy. The audit was mandated by the Open Source Technology Improvement Fund, Inc..
Introduction
Quarkslab conducted the first public third-party security assessment of EVerest, an open-source firmware stack for electric vehicle charging stations, deployed in hundreds of thousands of charging points worldwide.
The audit was funded by LF Energy (LFE) and coordinated by the Open Source Technology Improvement Fund (OSTIF). Quarkslab has been collaborating with OSTIF since 2015 and has been involved in several security audits. This security assessment had a total work effort of 42 person-days and was executed during July and August of 2025.
The security evaluation followed a methodology that began with threat modeling, then combined static analysis and dynamic testing. This approach enabled Quarkslab’s team to obtain an in-depth understanding of EVerest’s modular architecture, accurately define its attack surface, and identify potential vulnerabilities through both code-level inspection and runtime behavior analysis. Dynamic testing included targeted fuzzing campaigns.
The full report of the assessment can be found on Quarkslab's public reports repository.
Scope
The assessment was conducted within a set timeframe, with the primary focus on identifying vulnerabilities and security issues in the code according to the defined attack model shown below.
Findings
During the time frame of the security audit, Quarkslab discovered several security issues and vulnerabilities, among which:
- 6 security issues considered as high severity;
- 6 security issues considered as medium severity;
- 5 security issues considered as low severity;
- 3 issues considered informative.
The vulnerabilities were disclosed via security advisories of the EVerest GitHub repository.
| ID | Name | Perimeter |
|---|---|---|
| HIGH-6 | RFID token vulnerable to cloning and emulation attacks | Validation token |
| HIGH-10 | Unlimited connections lead to DoS because of operating system resource exhaustion | EvseV2G |
| HIGH-15 | Use of assert function lead to denial of service | Evse15118D20 - libiso15118D20 |
| HIGH-16 | Inadequate exception handling leads to denial of service | Evse15118D20 - libiso15118D20 |
| HIGH-17 | Inadequate session handling can lead to memory-related errors or exhaustion of the operating system’s file descriptors, resulting in a denial of service | Evse15118D20 - libiso15118D20 |
| HIGH-18 | Integer Overflow and Signed to Unsigned conversion lead o either stack buffer overflow or infinite loop | Evse15118D20 - libiso15118D20 |
| MEDIUM-1 | Concatenation of strings literal and integers | Global |
| MEDIUM-5 | Memory exhaustion in libocpp | Charge point availability |
| MEDIUM-8 | By default, the EV is responsible for closing the connection if the module encounters an error during request processing | EvseV2G |
| MEDIUM-13 | Null session ID bypasses session ID verification | EvseV2G |
| MEDIUM-14 | Sequence state validation bypass | EvseV2G |
| MEDIUM-20 | Null pointer dereference during DC_ChargeLoopRes document deserialization | Evse15118D20 - libiso15118D20 |
| LOW-2 | Session logging parameters may enable path traversal, XSS, log overwriting, or logging disablement. | EvseManager |
| LOW-4 | Use of weak ciphers for TLS1.2 in OCPP websockets | OCPP websockets security |
| LOW-7 | Default value for TLS usage is set to prohibit | EvseV2G |
| LOW-9 | Weak TLS ciphersuite | EvseV2G |
| LOW-12 | V2G messages are processed and most of the time published before any verification | EvseV2G |
| INFO-3 | Used OpenSSL version has known vulnerabilities | OCPP websockets security |
| INFO-11 | Predictable session ID | EvseV2G |
| INFO-19 | libiso15118D20 session deserializes responses | Evse15118D20 - libiso15118D20 |
At the time of writing, most identified vulnerabilities have been reported and received their respective CVE numbers:
- CVE-2025-68133 for HIGH-10
- CVE-2025-68134 for HIGH-15
- CVE-2025-68135 for HIGH-16
- CVE-2025-68136 for HIGH-17
- CVE-2025-68137 for HIGH-18
- CVE-2025-68138 for MEDIUM-5
- CVE-2025-68139 for MEDIUM-8
- CVE-2025-68140 for MEDIUM-13
- CVE-2025-68141 for MEDIUM-20
Conclusion
By relying on an intentional modular design and strong isolation techniques, EVerest's firmware stack shows use of good software architecture principles. However, as various complex protocols and standards need to be implemented in charging stations, external security audits remain very important in this field. During our audit, we identified several vulnerabilities in EVerest, many of which could be exploited on available devices.
Quarkslab provided recommendations and strategies for addressing the discovered vulnerabilities, helping to strengthen the open-source tool and enhance its security moving forward.
We would like to recognizes the considerable security efforts made by the EVerest development team.
Finally, Quarkslab would also like to thank the OSTIF team, the LF Energy team, and EVerest maintainers for their support and collaboration throughout this security audit.