Cyber Posture

CVE-2025-24956

Medium

Published: 11 February 2025

Published
11 February 2025
Modified
24 September 2025
KEV Added
Patch
CVSS Score 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0036 58.5th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24956 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability in Siemens Openv2G. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 41.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of information inputs, directly addressing the missing length check during EXI parsing of X509 serial numbers to prevent buffer overflows.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of system flaws, ensuring timely patching of vulnerable OpenV2G versions prior to V0.9.6.

SI-16 Memory Protection partial match
prevent

Implements memory protection safeguards that mitigate buffer overflow exploits by preventing unauthorized code execution from memory corruption.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Buffer overflow in EXI parsing leads to memory corruption and denial of service (A:H impact) with local access, directly enabling T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability has been identified in OpenV2G (All versions < V0.9.6). The OpenV2G EXI parsing feature is missing a length check when parsing X509 serial numbers. Thus, an attacker could introduce a buffer overflow that leads to memory corruption.

Deeper analysisAI

CVE-2025-24956 is a buffer overflow vulnerability (CWE-120) in the OpenV2G library, affecting all versions prior to V0.9.6. The flaw exists in the EXI parsing feature, which fails to perform a length check when parsing X509 serial numbers, enabling an attacker to trigger memory corruption. The vulnerability received a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) upon its publication on 2025-02-11.

A local attacker can exploit this vulnerability with low complexity and no user interaction or privileges required. Successful exploitation leads to memory corruption, resulting in a high impact on availability (such as denial of service) but no impact on confidentiality or integrity.

Mitigation information is provided in the Siemens CERT advisory at https://cert-portal.siemens.com/productcert/html/ssa-647005.html. The issue is addressed in OpenV2G version V0.9.6 and later.

Details

CWE(s)
CWE-120

Affected Products

siemens
openv2g
≤ 0.9.6

CVEs Like This One

CVE-2024-53027Shared CWE-120
CVE-2025-20222Shared CWE-120
CVE-2025-28221Shared CWE-120
CVE-2026-20100Shared CWE-120
CVE-2026-30075Shared CWE-120
CVE-2025-20115Shared CWE-120
CVE-2025-50654Shared CWE-120
CVE-2024-53319Shared CWE-120
CVE-2025-50648Shared CWE-120
CVE-2026-28875Shared CWE-120

References