International Standards Organization ISO 15118-2 (Update A)

MonitorCVSS 6.3ICS-CERT ICSA-25-303-01Oct 30, 2025

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ISO 15118-2 does not mandate encryption for network communications between electric vehicles and charging equipment. This allows man-in-the-middle attacks where an attacker on the local network can intercept, read, or modify charging session messages. ISO 15118-20 revision addresses this by making TLS encryption mandatory, but the current ISO 15118-2 standard only recommends TLS without enforcement. Devices implementing this standard without additional encryption are vulnerable to traffic inspection and modification attacks during EV charging sessions.

What this means

What could happen

An attacker positioned on the network between an EV charger and vehicle could intercept or modify communication messages, potentially altering charging parameters or compromising authentication between the vehicle and charger.

Who's at risk

EV charging infrastructure operators and vehicle manufacturers using ISO 15118-2 for communication between electric vehicles and charging equipment should be concerned. This affects public and private charging networks, fleet operators, and vehicle manufacturers implementing the standard in their charging systems.

How it could be exploited

An attacker with network access between an EV charger and electric vehicle exploits the lack of mandatory encryption in ISO 15118-2 to position themselves as a man-in-the-middle. The attacker intercepts unencrypted messages exchanged during the charging handshake and can read or alter them without detection.

Prerequisites

Network access to the communication path between EV charger and vehicle
Presence on the local network segment or ability to ARP spoof/intercept traffic
Devices using ISO 15118-2 without additional TLS implementation

Man-in-the-middle attack possibleNo authentication required for exploitationRequires network access on same segmentStandard is widely deployed in EV charging infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

ISO 15118 Standard: Part 15118-2 Network and Application Protocol RequirementsAll versionsNo fix (EOL)

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement TLS encryption for all ISO 15118-2 communications with certificate chaining validation

HARDENINGRestrict network access to charger communication ports using firewalls or network segmentation to prevent untrusted devices from reaching the charger

Long-term hardening

0/1

HOTFIXUpgrade or migrate to ISO 15118-20 revision when charger and vehicle hardware supports it, as TLS is mandatory in that standard

CVEs (1)

CVE-2025-12357

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e40d5096-8319-44e9-8ee5-d4b1fe06ea55

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.