Cyber Resilience

CVE-2025-24956

Medium

Published: 11 February 2025

Published
11 February 2025
Modified
24 September 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 58.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24956 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability in Siemens Openv2G. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 41.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-24956 is a buffer overflow vulnerability (CWE-120) in the OpenV2G library, affecting all versions prior to V0.9.6. The flaw exists in the EXI parsing feature, which fails to perform a length check when parsing X509 serial numbers, enabling an attacker to trigger memory corruption. The vulnerability received a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) upon its publication on 2025-02-11.

A local attacker can exploit this vulnerability with low complexity and no user interaction or privileges required. Successful exploitation leads to memory corruption, resulting in a high impact on availability (such as denial of service) but no impact on confidentiality or integrity.

Mitigation information is provided in the Siemens CERT advisory at https://cert-portal.siemens.com/productcert/html/ssa-647005.html. The issue is addressed in OpenV2G version V0.9.6 and later.

EU & UK References

Vulnerability details

A vulnerability has been identified in OpenV2G (All versions < V0.9.6). The OpenV2G EXI parsing feature is missing a length check when parsing X509 serial numbers. Thus, an attacker could introduce a buffer overflow that leads to memory corruption.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Buffer overflow in EXI parsing leads to memory corruption and denial of service (A:H impact) with local access, directly enabling T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-20115Shared CWE-120
CVE-2020-37205Shared CWE-120
CVE-2026-28875Shared CWE-120
CVE-2020-37194Shared CWE-120
CVE-2020-37180Shared CWE-120
CVE-2024-24419Shared CWE-120
CVE-2019-25353Shared CWE-120
CVE-2026-30075Shared CWE-120
CVE-2020-37213Shared CWE-120
CVE-2021-47798Shared CWE-120

Affected Assets

siemens
openv2g
≤ 0.9.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of information inputs, directly addressing the missing length check during EXI parsing of X509 serial numbers to prevent buffer overflows.

prevent

Mandates identification, reporting, and correction of system flaws, ensuring timely patching of vulnerable OpenV2G versions prior to V0.9.6.

prevent

Implements memory protection safeguards that mitigate buffer overflow exploits by preventing unauthorized code execution from memory corruption.

References