CVE-2025-12357: ISO 15118-2 SLAC Protocol MitM Vulnerability

CVE-2025-12357 Overview

CVE-2025-12357 affects electric vehicle (EV) charging communications that implement the ISO 15118-2 standard. The vulnerability resides in the Signal Level Attenuation Characterization (SLAC) protocol used to pair an EV with a charging station over HomePlug Green PHY powerline communications. An attacker who injects spoofed signal attenuation measurements can hijack the pairing process and establish a man-in-the-middle (MITM) position between the vehicle and the charger. The flaw is classified under CWE-923, Improper Restriction of Communication Channel to Intended Endpoints. CISA published this issue in ICS Advisory ICSA-25-303-01.

Critical Impact

A successful MITM enables interception or manipulation of charging session data and authorization exchanges between an EV and an ISO 15118-2 compliant charger, exploitable within adjacent radio range via electromagnetic induction.

Affected Products

• Electric vehicles implementing ISO 15118-2 part 2 communications
• EV Supply Equipment (EVSE) and charging stations compliant with ISO 15118-2
• HomePlug Green PHY SLAC implementations used for EV-charger pairing

Discovery Timeline

• 2025-10-31 - CVE-2025-12357 published to NVD and referenced in CISA advisory ICSA-25-303-01
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-12357

Vulnerability Analysis

ISO 15118-2 defines how an EV and an EVSE negotiate a charging session over a powerline communications link. Before higher-layer TLS sessions are established, the two endpoints must first associate at the data-link layer using SLAC. SLAC relies on signal attenuation measurements to confirm that the EV and the EVSE are physically connected through the charging cable rather than through ambient powerline coupling. The vulnerability allows an adjacent attacker to forge those attenuation values and convince a charger that the attacker's device is the legitimate vehicle, or vice versa. Once pairing completes with the attacker in the middle, subsequent ISO 15118-2 messages flow through the adversary.

Root Cause

The SLAC pairing logic trusts attenuation measurements that are not cryptographically authenticated. ISO 15118-2 part 2 does not bind the SLAC association to a verified physical channel, so spoofed measurements cannot be distinguished from genuine ones. This is the design weakness captured by CWE-923: the protocol fails to restrict the communication channel to the intended endpoints.

Attack Vector

The attack requires adjacent-network access. An attacker positioned within close proximity to the charging cable couples to the powerline carrier through electromagnetic induction and transmits crafted SLAC frames with manipulated attenuation values. The attacker does not need physical contact with the cable, prior authentication, or user interaction. After winning the SLAC association, the attacker relays or alters ISO 15118-2 traffic such as session setup, service discovery, and authorization messages exchanged between the EV and the EVSE.

No public proof-of-concept code is available. Refer to the CISA ICS Advisory ICSA-25-303-01 and the CSAF document for vendor-coordinated details.

Detection Methods for CVE-2025-12357

Indicators of Compromise

• Duplicate or conflicting SLAC CM_SLAC_PARM.REQ and CM_ATTEN_CHAR.IND frames observed on the powerline segment during a single pairing window
• Anomalous attenuation profiles that do not match the expected physical cable length between the EV and the EVSE
• Repeated SLAC re-association attempts or unexpected MAC address changes for the EV-side PLC modem during a charging session

Detection Strategies

• Capture HomePlug Green PHY management frames at the EVSE and baseline normal SLAC exchanges per charge port
• Alert when SLAC pairing completes with attenuation values outside the statistical distribution observed for that port and cable length
• Correlate EVSE backend logs of ISO 15118-2 session establishment with SLAC association events to surface mismatches

Monitoring Recommendations

• Forward EVSE and site controller logs covering SLAC association, TLS handshake, and ISO 15118-2 session identifiers to a central SIEM
• Monitor for unexpected RF or inductive emissions near charging cables using site EMI sensors where deployed
• Track firmware versions across the charging fleet and flag stations running releases prior to the vendor fix

How to Mitigate CVE-2025-12357

Immediate Actions Required

• Review the CISA ICS Advisory ICSA-25-303-01 and identify affected EVSE and EV models in your environment
• Apply vendor firmware updates that enforce ISO 15118-20 or the Plug and Charge profile, which add cryptographic binding above the SLAC layer
• Restrict physical access to charging cables and station enclosures to reduce opportunities for adjacent radio coupling

Patch Information

No single vendor patch covers this protocol-level weakness. Mitigation depends on equipment manufacturers implementing fixes referenced in ICSA-25-303-01 and, where feasible, migrating from ISO 15118-2 to ISO 15118-20, which provides stronger session authentication. Coordinate with EV and EVSE vendors through the IEC contact channel for standards-track updates.

Workarounds

• Enable TLS with mutual certificate validation in ISO 15118-2 deployments to limit what an MITM attacker can read or alter after pairing
• Disable External Identification Means (EIM) flows that bypass Plug and Charge certificate validation where business requirements allow
• Deploy tamper-evident cable management and physical inspection routines at high-value charging sites
• Segment EVSE management networks from corporate and OT networks to contain downstream impact if a session is hijacked

# Configuration example
# Verify EVSE firmware reports ISO 15118-2 patch level or ISO 15118-20 support
evse-cli show version --component iso15118
evse-cli config set iso15118.tls.require_client_cert true
evse-cli config set iso15118.plug_and_charge.enabled true
evse-cli config set slac.attenuation.anomaly_alert true