ISO 15118-2 EV Charging Protocol Vulnerability: Man-in-the-Middle Risk in 2025
Executive Summary
In October 2025, a critical vulnerability (CVE-2025-12357) impacting the ISO 15118-2 standard for electric vehicle (EV) chargers was disclosed. The flaw centers on improper restriction of communication channels, specifically enabling attackers to exploit the Signal Level Attenuation Characterization (SLAC) protocol with spoofed measurements. This manipulation facilitates man-in-the-middle attacks between EVs and compliant chargers, with attacks feasible wirelessly and in close proximity via electromagnetic induction. The vulnerability jeopardizes authentication and data exchange during the EV charging process but has not yet been publicly exploited.
The incident highlights escalating risks across connected infrastructure, especially as EV adoption surges globally. As regulators, manufacturers, and utility providers converge on charging protocols, the need for mandatory end-to-end encryption is increasingly urgent to safeguard against evolving threat actors targeting critical transportation sectors.
Why This Matters Now
The urgency stems from the rapid global expansion of EV infrastructure reliant on ISO 15118-2, which lacks mandatory encryption enforcement. This vulnerability demonstrates that attackers can bypass weak communication protections, making it critical for operators to adopt updated standards and security measures immediately.
Attack Path Analysis
An attacker in close proximity manipulates the unencrypted SLAC protocol to establish a man-in-the-middle foothold between an electric vehicle and charger. Exploiting insufficient channel restriction, the adversary intercepts and potentially alters communications, gaining leverage to pivot within the connected EV infrastructure. Malicious traffic can traverse the environment, establishing covert channels to the attacker's device. Critical data and credentials could then be exfiltrated, potentially undermining EV charging operations and data integrity.
Kill Chain Progression
Initial Compromise
Description
The attacker exploits improperly secured communication channels in the SLAC protocol to perform a man-in-the-middle attack between an EV and charger using spoofed measurements.
Related CVEs
CVE-2025-12357
CVSS 8.3By manipulating the Signal Level Attenuation Characterization (SLAC) protocol with spoofed measurements, an attacker can stage a man-in-the-middle attack between an electric vehicle and chargers that comply with the ISO 15118-2 standard. This vulnerability may be exploitable wirelessly, within close proximity, via electromagnetic induction.
Affected Products:
International Standards Organization ISO 15118-2 Network and Application Protocol Requirements – Part 15118-2
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Man-in-the-Middle
Application Layer Protocol: Web Protocols
Acquire Infrastructure: Web Services
Remote Services: Remote Desktop Protocol
Network Sniffing
Exploit Public-Facing Application
Hardware Additions
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-Factor Authentication for All Access
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA – ICT Risk Management Requirements
Control ID: Art. 9
CISA ZTMM 2.0 – Isolate Critical Assets
Control ID: Network and Environment Segmentation
NIS2 Directive – Technical and Organisational Measures
Control ID: Art. 21(2)
ISO/IEC 27001:2022 – Secure Communication
Control ID: A.8.28
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Automotive
Electric vehicle charging infrastructure vulnerable to man-in-the-middle attacks via ISO 15118-2 SLAC protocol manipulation, requiring immediate TLS implementation upgrades.
Utilities
EV charging station networks face electromagnetic induction attacks compromising grid integration security, demanding enhanced network segmentation and encrypted communication protocols.
Transportation
Critical infrastructure sector explicitly identified by CISA advisory, with worldwide EV charging systems susceptible to proximity-based wireless exploitation attacks.
Oil/Energy/Solar/Greentech
Energy sector charging infrastructure vulnerable to communication channel manipulation attacks, requiring defensive measures including firewall isolation and VPN security implementations.
Sources
- International Standards Organization ISO 15118-2https://www.cisa.gov/news-events/ics-advisories/icsa-25-303-01Verified
- ISO Contact Informationhttps://www.iec.ch/contact?id=40499Verified
- SwRI identifies security vulnerability in EV charging protocolhttps://www.swri.org/newsroom/press-releases/swri-identifies-security-vulnerability-ev-charging-protocolVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF controls such as encrypted traffic enforcement, zero trust segmentation, robust egress policies, and distributed visibility would have prevented or significantly constrained this multi-stage man-in-the-middle attack by isolating east-west paths, detecting anomalous traffic, and ensuring that only intended endpoints communicate over protected channels.
Control: Encrypted Traffic (HPE)
Mitigation: Prevents unauthorized interception and manipulation of communications.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Detects anomalies or signature-based compromise attempts on in-transit traffic.
Control: East-West Traffic Security
Mitigation: Restricts lateral movement across workloads and services.
Control: Egress Security & Policy Enforcement
Mitigation: Detects and blocks unsanctioned outbound connections.
Control: Multicloud Visibility & Control
Mitigation: Provides centralized observability and enables real-time detection of data exfiltration events.
Limits blast radius and prevents unauthorized impact propagation.
Impact at a Glance
Affected Business Functions
- EV Charging Operations
- Vehicle-to-Grid Communications
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of vehicle and charging station communication data, leading to unauthorized access or manipulation of charging sessions.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce end-to-end encryption (e.g., TLS, MACsec) for all EV and charger communications as required by latest standards.
- • Deploy zero trust segmentation and east-west traffic controls to restrict lateral movement and internal attack propagation.
- • Implement egress filtering and continuous monitoring to block unauthorized external connections from critical infrastructure.
- • Gain centralized multicloud visibility to promptly detect and respond to anomalous or suspicious traffic and access patterns.
- • Leverage real-time inline threat detection and policy enforcement to quickly contain man-in-the-middle or protocol exploitation attempts.
