OTPulse
FeedAboutContact

Siemens OpenV2G

Monitor6.2ICS-CERT ICSA-25-044-08Feb 11, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

OpenV2G contains a buffer overflow vulnerability (CWE-120) that could allow an attacker with local access to trigger memory corruption. The vulnerability affects OpenV2G versions prior to 0.9.6. While not remotely exploitable, this could cause denial of service or application crashes in EV charging communication systems. Siemens recommends updating to version 0.9.6 or later and implementing network isolation and access controls for systems running the software.

What this means
What could happen
A buffer overflow in OpenV2G could allow a local attacker to corrupt memory and cause the application to crash, disrupting EV charging communications and coordination. While not remotely exploitable, this could affect the availability of charging infrastructure.
Who's at risk
Organizations operating EV charging infrastructure that use OpenV2G for vehicle-to-grid (V2G) communication should assess their exposure. This primarily affects charging station manufacturers, operators of public and private charging networks, and utilities integrating V2G capabilities into their grid management systems.
How it could be exploited
An attacker with local access to a system running OpenV2G (such as an engineering workstation or charging station controller) could send specially crafted input that overflows a buffer in the software, corrupting memory and causing a denial of service or potentially executing code with the application's privileges.
Prerequisites
  • Local access to a system or process running OpenV2G
  • No special credentials or authentication required
  • Ability to send malformed input to the OpenV2G software
Buffer overflow vulnerabilityLow complexity exploitationNo authentication requiredAffects availability of charging operationsVendor patch available
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
OpenV2G<V0.9.60.9.6
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRestrict local access to systems running OpenV2G to trusted personnel and engineering workstations only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate OpenV2G to version 0.9.6 or later
Long-term hardening
0/2
HARDENINGIsolate charging control networks and systems from business networks using firewalls and network segmentation
HARDENINGUse VPNs with strong authentication if remote access to engineering workstations is required
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/56fc4009-2f49-4588-8be1-af42651494aa
Siemens OpenV2G | CVSS 6.2 - OTPulse