Siemens OpenV2G

MonitorCVSS 6.2ICS-CERT ICSA-25-044-08Feb 11, 2025

Siemens

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OpenV2G contains a buffer overflow vulnerability (CWE-120) in versions before 0.9.6 that could allow a local attacker to trigger memory corruption. The vulnerability is not remotely exploitable. Siemens has released version 0.9.6 which resolves the issue. The affected software is the open-source Vehicle-to-Grid (V2G) communication library used in electric vehicle charging infrastructure.

What this means

What could happen

A buffer overflow in OpenV2G could allow an attacker with local access to cause a denial of service by crashing the application or corrupting memory, disrupting V2G charging communication on electric vehicle infrastructure.

Who's at risk

Electric vehicle charging station operators and municipalities managing EV infrastructure that deploy the open-source OpenV2G library on charging equipment or management systems. This affects any system using OpenV2G for vehicle-to-grid communication protocols.

How it could be exploited

An attacker with local access to a system running OpenV2G could send a specially crafted input that overflows a buffer, causing memory corruption that leads to application crash or unexpected behavior in the charging process.

Prerequisites

Local access to a system running OpenV2G
Ability to send input to the vulnerable OpenV2G process
OpenV2G version earlier than 0.9.6

Local attack requiredNo authentication required for local accessLow complexity attackDenial of service impact

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (1)

ProductAffected VersionsFix Status

OpenV2G<V0.9.60.9.6

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGRestrict local access to systems running OpenV2G to authorized personnel only

HARDENINGIsolate OpenV2G systems from the internet and untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate OpenV2G to version 0.9.6 or later

CVEs (1)

CVE-2025-24956

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/56fc4009-2f49-4588-8be1-af42651494aa

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.