CVE-2025-59695
📋 TL;DR
This vulnerability allows users with root access to the operating system to modify firmware on the Chassis Management Board without authentication. This affects Entrust nShield Connect XC, nShield 5c, and nShield HSMi hardware security modules. Attackers with root privileges can potentially compromise the hardware security module's management interface.
💻 Affected Systems
- Entrust nShield Connect XC
- Entrust nShield 5c
- Entrust nShield HSMi
📦 What is this software?
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
⚠️ Risk & Real-World Impact
Worst Case
An attacker with root access could install malicious firmware on the Chassis Management Board, potentially gaining persistent control over the HSM, extracting cryptographic keys, or disabling security functions entirely.
Likely Case
Malicious insiders or attackers who have already gained root access could modify firmware to establish persistence, bypass security controls, or exfiltrate sensitive cryptographic material.
If Mitigated
With proper access controls limiting root access and network segmentation, the attack surface is significantly reduced, though the vulnerability remains present in the firmware.
🎯 Exploit Status
Exploitation requires root access to the host system. The vulnerability is in the firmware update process (referred to as F04) which doesn't require authentication once root access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 13.6.11 and 13.7
Vendor Advisory: https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj
Restart Required: Yes
Instructions:
1. Contact Entrust support for firmware updates. 2. Schedule maintenance window for HSM firmware update. 3. Backup all cryptographic keys and configurations. 4. Apply firmware update following vendor instructions. 5. Verify firmware version after update. 6. Restore keys and configurations if needed.
🔧 Temporary Workarounds
Restrict Root Access
allImplement strict access controls to prevent unauthorized users from obtaining root privileges on systems connected to HSMs.
# Implement sudo restrictions
# Use privilege access management
# Enforce multi-factor authentication for administrative access
Network Segmentation
allIsolate HSM management interfaces from general network access and restrict to authorized management systems only.
# Configure firewall rules to restrict access to HSM management ports
# Implement VLAN segmentation for HSM networks
🧯 If You Can't Patch
- Implement strict access controls and monitoring for root access on all systems connected to affected HSMs
- Isolate HSM management networks and implement network-based intrusion detection for anomalous firmware update attempts
🔍 How to Verify
Check if Vulnerable:
Check HSM firmware version using vendor-specific tools or management interfaces. Versions through 13.6.11 or 13.7 are vulnerable.Check Version:
Use vendor-specific commands: nfkminfo or equivalent HSM management utilities to check firmware versionVerify Fix Applied:
Verify firmware version is updated beyond 13.6.11 or 13.7 using vendor management tools or command-line interfaces.📡 Detection & Monitoring
Log Indicators:
- Unexpected firmware update attempts
- Root access to HSM-connected systems outside maintenance windows
- Failed authentication attempts followed by successful root access
Network Indicators:
- Firmware update traffic to HSM management interfaces outside scheduled maintenance
- Unauthorized access attempts to HSM management ports
SIEM Query:
source="hsm_logs" AND (event_type="firmware_update" OR event_type="root_access") AND NOT maintenance_window=true