PatchSiren cyber security CVE debrief

CVE-2025-12357 ISO 15118-2 Network and Application Protocol Requirements CVE debrief

CVE-2025-12357 describes a protocol-level vulnerability in ISO 15118-2, the international standard governing communication between electric vehicles (EVs) and charging infrastructure. The Signal Level Attenuation Characterization (SLAC) protocol, used to establish the initial link between vehicle and charger, can be manipulated through spoofed measurements to enable man-in-the-middle positioning. The attack vector is notable for its wireless proximity requirement—exploitation may be achievable via electromagnetic induction without physical cable access. CISA published the initial advisory on October 30, 2025, with Update A released March 17, 2026, adjusting the CVSS score based on ISO/IEC feedback and adding SSVC vector information. The vulnerability carries a MEDIUM severity rating with CVSS 6.3, reflecting adjacent network access requirements and partial impacts across confidentiality, integrity, and availability. The SSVC vector (E:N/A:N/2026-03-16T05:00:00.000000Z) indicates no known exploitation and no automated exploitation capability at the time of assessment. ISO/IEC has addressed this through the ISO 15118-20 revision, which mandates TLS with certificate chaining for all communications—upgrading from the recommendation status in the -2 revision.

Vendor: ISO 15118-2 Network and Application Protocol Requirements
Product: EV Car Chargers
CVSS: MEDIUM 6.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-10-30
Original CVE updated: 2026-03-17
Advisory published: 2025-10-30
Advisory updated: 2026-03-17

Who should care

Electric vehicle charging infrastructure operators, EV manufacturers implementing ISO 15118 communication stacks, charging station OEMs, utilities operating EV charging networks, and organizations securing operational technology (OT) environments in transportation electrification

Technical summary

The SLAC (Signal Level Attenuation Characterization) protocol in ISO 15118-2 establishes the communication link between electric vehicles and charging stations by measuring signal attenuation across the charging cable. The vulnerability arises from insufficient authentication of these measurements, allowing an attacker to inject spoofed attenuation values. By manipulating SLAC, an attacker can position themselves as a man-in-the-middle between the vehicle and charger. The wireless exploitation vector via electromagnetic induction is particularly significant—it suggests that physical access to the charging cable may not be required, only close proximity to leverage inductive coupling effects. The CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) reflects adjacent network access, low attack complexity, no privilege requirements, and partial impacts. The ISO 15118-20 revision eliminates this attack surface by mandating TLS encryption with certificate chaining, ensuring cryptographic authentication of both endpoints regardless of SLAC session establishment.

Defensive priority

medium

Recommended defensive actions

Upgrade EV charging infrastructure implementations to ISO 15118-20, which mandates TLS encryption with certificate chaining for all vehicle-to-charger communications
For systems remaining on ISO 15118-2, implement TLS with certificate chaining despite its optional status in that revision
Conduct proximity-based risk assessments for charging installations, particularly in unsupervised or public locations where electromagnetic induction attacks could be staged
Monitor for anomalous SLAC protocol behavior or unexpected session establishment attempts that may indicate measurement spoofing
Contact IEC for additional implementation guidance regarding secure deployment of ISO 15118 standards

Evidence notes

Advisory ICSA-25-303-01 published 2025-10-30; Update A published 2026-03-17 with CVSS adjustment and SSVC vector addition per ISO/IEC feedback. SSVC assessment dated 2026-03-16 indicates no known exploitation. Remediation guidance specifies ISO 15118-20 TLS mandate versus ISO 15118-2 recommendation.

Official resources

published