CVE-2025-12357

Summary

By manipulating the Signal Level Attenuation Characterization (SLAC) protocol with spoofed measurements, an attacker can stage a man-in-the-middle attack between an electric vehicle and chargers that comply with the ISO 15118-2 part. This vulnerability may be exploitable wirelessly, within close proximity, via electromagnetic induction.

Affected Software

VendorProductVersion RangeStatus
ISO 15118-2 Network and Application Protocol RequirementsEV Car ChargersPart 15118-2 Network and Application Protocol Requirementsaffected

Weaknesses

  • CWE-923: CWE-923

Workarounds

ISO recommends using TLS for all communications in accordance with ISO 15118-20. While the use of TLS is recommended in ISO 15118-2, it is required in the ISO 15118-20 revision. TLS should be implemented with certificate chaining.

For additional information, please contact the International Electrotechnical Commission https://www.iec.ch/contact .

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References