Siemens OpenV2G

Monitor6.2ICS-CERT ICSA-22-132-15May 10, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OpenV2G contains a buffer overflow vulnerability (CWE-120) that could allow an attacker with local access to trigger memory corruption. The vulnerability affects OpenV2G version 0.9.4 and earlier. Siemens recommends updating to version 0.9.5 or later. No known public exploits currently exist, and the vulnerability is not remotely exploitable.

What this means

What could happen

A buffer overflow in OpenV2G could allow an attacker with local access to corrupt memory and crash the software or potentially execute unauthorized code. This could disrupt vehicle-to-grid (V2G) charging operations at EV charging stations or fleet facilities.

Who's at risk

Organizations operating electric vehicle (EV) charging infrastructure that use OpenV2G for vehicle-to-grid communication. This includes municipal utilities, charging network operators, and fleet facilities with V2G-capable charging stations. Affected devices include charging station controllers and communication systems that implement OpenV2G.

How it could be exploited

An attacker would need local access to a system running vulnerable OpenV2G software (e.g., on a charging station control device or connected computer). They could send a specially crafted input to trigger the buffer overflow, corrupting memory and destabilizing the V2G communication process.

Prerequisites

Local network access to the device or system running OpenV2G
No authentication required to trigger the vulnerability
OpenV2G version 0.9.4 or earlier installed

Local access required, not remotely exploitableNo authentication requiredLow complexity attackNo patch available yet at advisory publicationBuffer overflow can cause process disruption

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

OpenV2GV0.9.40.9.5

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGEnsure EV charging infrastructure is not directly accessible from the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate OpenV2G to version 0.9.5 or later

Long-term hardening

0/1

HARDENINGRestrict network access to charging station control systems and isolate them from the business network using firewalls

CVEs (1)

CVE-2022-27242

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/89fe8c4c-e568-4661-852d-bed51d8f8e5e