CVE-2022-0878

Public Exploit
Novel attack against the Combined Charging System (CCS) in electric vehicles to remotely cause a denial of service

Description

Electric Vehicle (EV) commonly utilises the Combined Charging System (CCS) for DC rapid charging. To exchange important messages such as the State of Charge (SoC) with the Electric Vehicle Supply Equipment (EVSE) CCS uses a high-bandwidth IP link provided by the HomePlug Green PHY (HPGP) power-line communication (PLC) technology. The attack interrupts necessary control communication between the vehicle and charger, causing charging sessions to abort. The attack can be conducted wirelessly from a distance using electromagnetic interference, allowing individual vehicles or entire fleets to be disrupted simultaneously. In addition, the attack can be mounted with off-the-shelf radio hardware and minimal technical knowledge. With a power budget of 1 W, the attack is successful from around 47 m distance. The exploited behavior is a required part of the HomePlug Green PHY, DIN 70121 & ISO 15118 standards and all known implementations exhibit it. In addition to electric cars, Brokenwire affects electric ships, airplanes and heavy duty vehicles utilising these standards.

Remediation

Workaround:

  • Using stronger shielded cables and securing the physical paramater might reducing the viability of this attack. Right now, the only way to prevent the attack is not to charge on a DC rapid charger.

Category

4.6
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.09%
Third-Party Advisory brokenwire.fail
Affected: Combined Charging System Combined Charging System
Affected: Combined Charging System HomePlug GreenPHY
Published at:
Updated at:

References

Link Tags
https://www.brokenwire.fail/ third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2022-0878?
CVE-2022-0878 has been scored as a medium severity vulnerability.
How to fix CVE-2022-0878?
As a workaround for remediating CVE-2022-0878: Using stronger shielded cables and securing the physical paramater might reducing the viability of this attack. Right now, the only way to prevent the attack is not to charge on a DC rapid charger.
Is CVE-2022-0878 being actively exploited in the wild?
It is possible that CVE-2022-0878 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-0878?
CVE-2022-0878 affects Combined Charging System Combined Charging System, Combined Charging System HomePlug GreenPHY.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.