International Standards Organization ISO 15118-2 (Update A)

Monitor6.3ICS-CERT ICSA-25-303-01Oct 30, 2025

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ISO 15118-2 Network and Application Protocol standard does not require TLS encryption for communication between electric vehicles and charging stations. This allows an attacker positioned on the same network to perform a man-in-the-middle attack, intercepting and modifying the EV charging protocol messages. The attacker could read sensitive data such as authentication credentials or billing information, or inject commands to alter charging behavior. ISO 15118-20 revision addresses this by making TLS encryption mandatory rather than optional.

What this means

What could happen

An attacker positioned on the network between an electric vehicle and charging station could intercept, read, and modify communications, potentially altering charging parameters or stealing authentication data.

Who's at risk

Electric vehicle charging station operators and charging network providers using ISO 15118-2 protocol implementations should be concerned. This includes municipal and utility-owned public charging infrastructure, workplace chargers at larger facilities, and any charging management system that processes EV communications without TLS encryption.

How it could be exploited

An attacker on the same network segment (or with network access to the communication path between EV and charger) performs a man-in-the-middle attack by intercepting unencrypted or weakly encrypted ISO 15118-2 protocol messages. The attacker can then read sensitive data or inject malicious commands without detection.

Prerequisites

Network access to the communication path between EV and charging infrastructure (adjacent network segment or shared WiFi)
No TLS encryption or weak encryption in use on the ISO 15118-2 connection
Ability to perform ARP spoofing or other network interception techniques

man-in-the-middle attack vectorno authentication required on standardaffects charging infrastructureno patch available for ISO 15118-2low CVSS indicates moderate severity

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

ISO 15118 Standard: Part 15118-2 Network and Application Protocol RequirementsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement TLS encryption for all ISO 15118-2 communications between EV and charging equipment

HARDENINGImplement certificate chaining and validation for TLS connections

Long-term hardening

0/1

HOTFIXUpgrade to ISO 15118-20 standard or later revisions where TLS is required rather than recommended

Mitigations - no patch available

0/1

ISO 15118 Standard: Part 15118-2 Network and Application Protocol Requirements has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment EV charging networks from general IT networks to limit attacker network access

CVEs (1)

CVE-2025-12357

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e40d5096-8319-44e9-8ee5-d4b1fe06ea55