CVE-2025-59700

Description

Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with root access to modify the Recovery Partition (because of a lack of integrity protection).

CVSS Details

CVSS Score

3.9

Severity

LOW

CVSS Vector

CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:o:entrust:nshield_5c_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:entrust:nshield_5c:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:entrust:nshield_hsmi_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:entrust:nshield_hsmi:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:entrust:nshield_connect_xc_base_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:entrust:nshield_connect_xc_base:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:entrust:nshield_connect_xc_mid_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:entrust:nshield_connect_xc_mid:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:entrust:nshield_connect_xc_high_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:entrust:nshield_connect_xc_high:-:*:*:*:*:*:*:* - NOT VULNERABLE

Entrust nShield Connect XC < 13.6.11

Entrust nShield 5c < 13.6.11

Entrust nShield HSMi < 13.6.11

Entrust nShield Connect XC < 13.7

Entrust nShield 5c < 13.7

Entrust nShield HSMi < 13.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-59700 PoC Concept
# This is a conceptual PoC demonstrating the vulnerability
# Actual exploitation requires physical access and root privileges

# Note: This vulnerability requires:
# 1. Physical proximity to the target HSM device (AV:P)
# 2. Root-level access to the device (PR:H)
# 3. Ability to mount/modify the Recovery Partition

# Conceptual attack steps:
# 1. Gain physical access to the nShield HSM device
# 2. Obtain root privileges through other means (not part of this CVE)
# 3. Mount the Recovery Partition (typically /dev/mtdblockX or similar)
# 4. Modify Recovery Partition contents without integrity checks
# 5. Device will boot with modified Recovery Partition on next restart

# Example verification command (requires physical access):
# cat /proc/mtd | grep recovery
# hexdump -C /dev/mtdblockX | head -20

# Since no cryptographic signature verification exists,
# modified images will be accepted without validation

# Note: This is a LOW severity vulnerability due to:
# - Physical access requirement (AV:P)
# - Root privilege requirement (PR:H)
# - No remote exploitation vector

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-59700
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-59700
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-59700/
[4] VulDB https://vuldb.com/cve/CVE-2025-59700
[5] https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj
[6] https://www.entrust.com/use-case/why-use-an-hsm

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-59700", "sourceIdentifier": "[email protected]", "published": "2025-12-02T15:15:55.667", "lastModified": "2026-01-06T21:15:42.907", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with root access to modify the Recovery Partition (because of a lack of integrity protection)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "baseScore": 3.9, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.3, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.6, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-345"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_5c_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "CFB3D135-8EAC-4053-BB94-18D5BBB24AE7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_5c_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "ED259AB7-BFED-4B97-B455-E1D34730CFFF"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_5c:-:*:*:*:*:*:*:*", "matchCriteriaId": "2BB0F3F8-F5DE-41CB-B804-BBFB78C6ADEB"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_hsmi_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "ED3AEBBD-7F75-47F1-8EEA-342BAC9D265E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_hsmi_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "D7125CC3-3B27-4C90-97DE-51D226FBDC00"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_hsmi:-:*:*:*:*:*:*:*", "matchCriteriaId": "F7665EE9-9F7F-456F-B172-ED188DD3BAD4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_base_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "F73858FD-5FE6-4AFA-84F2-E19743E9D900"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_base_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "01CDF5EE-9059-478A-BFE5-D7ADEF9625C4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_connect_xc_base:-:*:*:*:*:*:*:*", "matchCriteriaId": "18FCA0E9-EEA9-40EC-9E0F-942F049D2354"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_mid_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "5A54F973-25D8-468D-B6A4-240A95D94A0B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_mid_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "0E43D1A7-9CB7-479D-89A9-D5041BB212A4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_connect_xc_mid:-:*:*:*:*:*:*:*", "matchCriteriaId": "CB0ACAD9-BBCE-43CC-BD84-2023885725EE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_high_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "13.6.12", "matchCriteriaId": "CBC11D8B-D72E-4CE9-AE61-AEA85F122F22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:entrust:nshield_connect_xc_high_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "13.7", "versionEndExcluding": "13.9.0", "matchCriteriaId": "1D7048C8-EB43-4F23-8946-456EF6F3A1B7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:entrust:nshield_connect ... (truncated)