CVE-2025-24956
Published: 11 February 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-24956 is a buffer overflow vulnerability (CWE-120) in the OpenV2G library, affecting all versions prior to V0.9.6. The flaw exists in the EXI parsing feature, which fails to perform a length check when parsing X509 serial numbers, enabling an attacker to trigger memory corruption. The vulnerability received a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) upon its publication on 2025-02-11.
A local attacker can exploit this vulnerability with low complexity and no user interaction or privileges required. Successful exploitation leads to memory corruption, resulting in a high impact on availability (such as denial of service) but no impact on confidentiality or integrity.
Mitigation information is provided in the Siemens CERT advisory at https://cert-portal.siemens.com/productcert/html/ssa-647005.html. The issue is addressed in OpenV2G version V0.9.6 and later.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in EXI parsing leads to memory corruption and denial of service (A:H impact) with local access, directly enabling T1499.004 Application or System Exploitation.