CVE-2025-59694 – This vulnerability allows a physically proximat... (How to Fix)

Q: What is the severity of CVE-2025-59694?

CVE-2025-59694 has a CVSS score of 6.8 (MEDIUM). This vulnerability allows a physically proximate attacker to persistently modify firmware on Entrust nShield HSM chassis management boards, potentially compromising the appliance boot process. Attackers can exploit this via JTAG interface manipulation or firmware upgrades. Affected systems include Entrust nShield Connect XC, nShield 5c, and nShield HSMi devices.

📋 TL;DR

This vulnerability allows a physically proximate attacker to persistently modify firmware on Entrust nShield HSM chassis management boards, potentially compromising the appliance boot process. Attackers can exploit this via JTAG interface manipulation or firmware upgrades. Affected systems include Entrust nShield Connect XC, nShield 5c, and nShield HSMi devices.

💻 Affected Systems

Products:

Entrust nShield Connect XC
Entrust nShield 5c
Entrust nShield HSMi

Versions: Through 13.6.11 or 13.7

Operating Systems: HSM firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects the chassis management board firmware specifically, not the HSM security module itself.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of HSM security, allowing persistent backdoors, firmware manipulation, and potential extraction of cryptographic keys or tampering with cryptographic operations.

🟠

Likely Case

Physical attackers gaining unauthorized access to modify firmware, potentially disrupting HSM operations or establishing persistence for future attacks.

🟢

If Mitigated

Limited impact with proper physical security controls preventing unauthorized physical access to HSM devices.

🌐 Internet-Facing: LOW - Requires physical access to exploit, not remotely exploitable.

🏢 Internal Only: MEDIUM - Physical access within secure facilities could allow exploitation by malicious insiders or compromised maintenance personnel.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires physical access and JTAG interface knowledge or ability to perform firmware upgrades. Referred to as F03 vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 13.6.11 and 13.7

Vendor Advisory: https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj

Restart Required: Yes

Instructions:

1. Contact Entrust support for firmware updates. 2. Apply chassis management board firmware update. 3. Reboot the HSM appliance. 4. Verify firmware version is updated beyond vulnerable versions.

🔧 Temporary Workarounds

Physical Security Enhancement

all

Strengthen physical access controls to prevent unauthorized physical access to HSM devices.

JTAG Interface Disablement

all

Physically disable or secure JTAG interfaces if not required for maintenance.

🧯 If You Can't Patch

Implement strict physical security controls with access logging and monitoring
Restrict firmware upgrade capabilities to authorized personnel only

🔍 How to Verify

Check if Vulnerable:

Check chassis management board firmware version via HSM management interface or console. Versions through 13.6.11 or 13.7 are vulnerable.

Check Version:

Use Entrust nShield management tools or console commands specific to your HSM model to check firmware version.

Verify Fix Applied:

Verify firmware version is updated beyond 13.6.11 or 13.7 through HSM management interface.

📡 Detection & Monitoring

Log Indicators:

Unauthorized physical access logs
Unexpected firmware modification events
JTAG interface access attempts

Network Indicators:

Unusual management interface activity
Unexpected firmware update traffic

SIEM Query:

Search for physical access violations OR firmware modification events on HSM devices

📊 Metadata

CVE ID: CVE-2025-59694

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1274

EPSS Score: 0.03% exploit probability (9.7th percentile)

Published: December 2, 2025

Last Updated: December 15, 2025

🔗 References

https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj Exploit,Third Party Advisory
https://www.entrust.com/use-case/why-use-an-hsm Product
https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59694, you might also want to check these: