CVE-2025-12357 | HackTesting

By manipulating the Signal Level Attenuation Characterization (SLAC) protocol with spoofed measurements, an attacker can stage a man-in-the-middle attack between an electric vehicle and chargers that comply with the ISO 15118-2 part. This vulnerability may be exploitable wirelessly, within close proximity, via electromagnetic induction.

Credits

Mark I. Johnson of Southwest Research Institute reported this vulnerability to CISA.

Sébastien Dudek of Penthertz disclosed this vulnerability publicly.

Jean-Christophe Delaunay and Vincent Fargues of Synacktiv disclosed this vulnerability publicly.

References

https://www.iec.ch/contact?id=40499

https://www.cisa.gov/news-events/ics-advisories/icsa-25-303-01

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-303-01.json