PlaxidityX Discovers Critical Vulnerability in Implementation of EV Charging Communication Protocol

TL;DR

A recently disclosed vulnerability (CVE-2025-27071), discovered by the PlaxidityX research team, exposes a critical weakness in an implementation of EV-to-charging-station communication. The stack-based buffer overflow in the open-source open-plc-utils implementation of the SLAC protocol affects both electric vehicles (EVs) and charging stations (EVSEs), potentially enabling arbitrary code execution by an attacker. This finding highlights the cybersecurity risks within EV charging infrastructure and the urgent need to secure protocol implementations across modern charging networks.

As EV (Electric vehicle) adoption grows, secure communication between vehicles and charging stations is critical, especially with the rise of Vehicle-to-Grid (V2G) integration. ISO 15118 enables seamless and secure EV charging through asymmetric cryptography, authentication, and encryption, but implementing these security measures can be challenging.

This article describes a critical vulnerability (CVE-2025-27071) discovered by our research team in the implementation of a communication protocol between EVs and charging stations. This buffer overflow vulnerability could potentially allow an attacker to execute arbitrary code on the affected target. The issue was reported to Qualcomm in December 2024, leading to a security advisory and a subsequent patch for the open-source project in late 2025.

Background: Ensuring Reliable Communications between EVs and Charging Stations

EVs make use of Powerline communication (PLC) to perform high level communication (i.e., non-analog communication) as part of the Vehicle to Grid (V2G) protocols set defined by DINSPEC-70121 and ISO-15118. PLC is often used in commercial charging stations where digital communication is required to establish authentication, payment and negotiate charging schedules between the EV and a set of charging stations as part of a grid.

Signal Level Attenuation Characterization (SLAC) is a V2G stack protocol used to ensure the stability and reliability of PLC. SLAC makes certain that noise on the line does not prevent the EV from communicating with the correct charging station in the grid. A small set of broadcast messages at the Ethernet level are exchanged between the EV and the charging station to establish this handshake before IP communication is performed.

Vulnerability Description: Buffer Overflow in Open Source PLC Firmware (CVE-2025-27071)

open-plc-utils is an open source version of the Qualcomm Atheros Powerline Toolkit. The project is designed to help users interact with the Atheros and Qualcomm chips that perform PLC with tools such as plcboot(1), plcboot(1), etc. The project also includes implementations of the SLAC protocol for the EV and the charging stations. While the implementation of SLAC in the EV is conducted in an RTOS environment (AUTOSAR or otherwise), it is also common to see open-plc-utils tools being used in charging stations, most of which are run by Linux.

Most of the messages defined by the SLAC protocol are fixed-size. The messages that are variable-size are the ones containing measurements for attenuations. When an EV sends sound measurements to the charging stations, it typically uses a group of 58 values indicated by the “Number of groups” byte in the packet. According to the packet structure, the byte is preceded by the list of sounds. For example, if the “Number of Groups” is 58, then 58 more bytes will be included in the packet.

The vulnerability discovered by our team is a stack-based buffer overflow in the protocol implementation of the open-plc-utils. This vulnerability was found both in the EV side and the EVSE (charging station) side. The inherent problem is that the value of the “number of groups” indicating the size of the variable-size array is not checked and simply used in a subsequent memcpy.

EV Side

On the EV side, the charging station can send CM_ATTEN_CHAR_IND which is parsed by the EV. The message includes the “number of groups” variable coming from the EVSE to the EV:

As seen from the code, the NumGroups variable is extracted directly from the incoming message (casted to an “cm_atten_char_indicate” struct) and used in a memcpy one line later without a boundary check, thereby overflowing the destination (in this case the “session->AAG” variable).

The “session” variable is allocated on the stack of the main function, thus a stack-based overflow occurs here:

It is important to note that while the compilation environment does matter (32 vs 64 bit, variable alignment decisions, etc.), the structure “session” and “message” alone are already bigger than the maximum 255 bytes the attacker controls. Therefore, direct exploitability would involve some other clever tricks by overwriting other values of the structure and not necessarily the return pointer.

EVSE Side

The EVSE side is vulnerable to the same pattern. A missing boundary check in the “numGroups” field of the packet leads to a buffer overflow, as seen in the “evse_cm_mnbc_sounds” function. Here the user-controlled numGroups is used without a boundary check in a “for loop” to copy data from the incoming indicate packet to a stack based buffer of size 58:

In this function, the stack size can be estimated to be less than 255 bytes, making it easier to assume exploitability.

Conclusion

The last update to the SLAC module of the open-plc-utils project appears to have been made in 2013 – more than 12 years ago. While it’s unlikely that this module will be deployed in modern, resource-constrained EV systems as part of a charging communication ECU, this vulnerability remains relevant because the same module is still commonly used in Linux-based charging station infrastructures. As such, our discovery highlights the cybersecurity risks within EV charging infrastructure and the need to secure protocol implementations across modern charging networks.

The vulnerability was reported to Qualcomm directly and resulted also in a fix of Qualcomm’s internal PLC tool (CVE-2025-27071).

About PlaxidityX Cyber Security Research and Solutions Department

The PlaxidityX Cyber Security Research and Solutions department is a leader in protecting the automotive industry. With a deep understanding of vehicle architectures, protocols, and standards, we provide comprehensive cybersecurity services to our clients.

Our team, backed by decades of expertise in both cybersecurity and the automotive sector, has partnered with major OEMs and Tier 1s on dozens of penetration testing and research projects. Our goal is to verify and strengthen our customers’ cybersecurity posture, helping them meet and exceed key industry regulations like UNR 155 and ISO-21434.

Whether it’s a dedicated research project or the deployment of our advanced PlaxidityX products, we deliver the solutions and insights needed to stay ahead of evolving threats and ensure vehicles are secure throughout their lifecycle.