PatchSiren cyber security CVE debrief
CVE-2025-24956 Siemens CVE debrief
CVE-2025-24956 affects Siemens OpenV2G and stems from a missing length check while parsing X509 serial numbers in EXI data. Siemens and CISA describe the issue as a buffer overflow that can lead to memory corruption; the provided CVSS vector rates it medium severity, with high availability impact. A vendor fix is available in OpenV2G 0.9.6 or later.
- Vendor
- Siemens
- Product
- OpenV2G
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-11
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-02-11
- Advisory updated
- 2025-05-06
Who should care
Organizations that deploy or integrate Siemens OpenV2G, especially teams responsible for EV charging, industrial, or embedded environments that process EXI input. Security and operations teams should care if OpenV2G is present in products, test systems, or any workflow that accepts untrusted serialized certificate data.
Technical summary
The advisory states that OpenV2G’s EXI parsing feature is missing a length check when handling X509 serial numbers. That parsing flaw can allow a buffer overflow and resulting memory corruption. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which indicates a local, low-complexity attack path with primary availability impact. Siemens recommends updating to OpenV2G 0.9.6 or later.
Defensive priority
Prioritize remediation for any affected deployment because the flaw can cause memory corruption and the vendor provides a fixed release. Although the CVSS score is medium, the combination of low attack complexity and high availability impact makes this worth prompt operational attention in any system that processes EXI input.
Recommended defensive actions
- Update Siemens OpenV2G to version 0.9.6 or later as the vendor remediation.
- Inventory systems and products that include OpenV2G to confirm whether they are affected.
- Where possible, minimize exposure of affected parsing paths and treat untrusted EXI input cautiously until patched.
- Monitor affected systems for unexpected crashes, memory faults, or process restarts that could indicate parser instability.
- Follow CISA industrial control system defensive guidance and defense-in-depth practices for the surrounding environment.
Evidence notes
The source corpus is CISA advisory ICSA-25-044-08 for Siemens OpenV2G, published on 2025-02-11 and revised on 2025-05-06 for typo fixes only. The advisory text states that the EXI parsing feature is missing a length check when parsing X509 serial numbers, which can lead to a buffer overflow and memory corruption. The remediation listed in the supplied material is to update to OpenV2G 0.9.6 or later. No KEV entry is provided in the supplied corpus.
Official resources
-
CVE-2025-24956 CVE record
CVE.org
-
CVE-2025-24956 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-25-044-08 for CVE-2025-24956 on 2025-02-11 and later revised it on 2025-05-06 for typographical fixes. The supplied corpus does not list the issue in CISA KEV. Siemens’ documented remediation is OpenV2G 0.9.6 or later.