CVE-2025-59696
📋 TL;DR
This vulnerability allows a physically proximate attacker to modify or erase tamper event logs on Entrust nShield hardware security modules. Attackers with physical access to the device chassis management board can manipulate security event records. This affects organizations using vulnerable Entrust nShield HSM devices for cryptographic operations.
💻 Affected Systems
- Entrust nShield Connect XC
- Entrust nShield 5c
- Entrust nShield HSMi
📦 What is this software?
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
⚠️ Risk & Real-World Impact
Worst Case
An attacker could erase evidence of physical tampering, allowing undetected hardware compromise that could lead to cryptographic key theft or manipulation.
Likely Case
Physical security event logs become unreliable, potentially hiding evidence of unauthorized physical access attempts.
If Mitigated
With proper physical security controls and monitoring, the impact is limited to potential loss of tamper event audit trail integrity.
🎯 Exploit Status
Exploitation requires physical access to the device's chassis management board interface. No authentication required once physical access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 13.6.11 and 13.7
Vendor Advisory: https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj
Restart Required: Yes
Instructions:
1. Contact Entrust support for firmware updates. 2. Schedule maintenance window. 3. Backup configuration and keys. 4. Apply firmware update. 5. Verify tamper event logging functionality.
🔧 Temporary Workarounds
Enhanced Physical Security Controls
allImplement strict physical access controls to prevent unauthorized access to HSM devices
Tamper Event Monitoring
allImplement independent monitoring of tamper events through external logging or security cameras
🧯 If You Can't Patch
- Implement strict physical access controls with logging and surveillance for HSM locations
- Deploy redundant tamper detection mechanisms independent of the vulnerable hardware
🔍 How to Verify
Check if Vulnerable:
Check firmware version via HSM management interface or command: nfkminfo -vCheck Version:
nfkminfo -vVerify Fix Applied:
Verify firmware version is above 13.6.11 or 13.7, and test tamper event logging functionality📡 Detection & Monitoring
Log Indicators:
- Missing or modified tamper event logs
- Unexpected gaps in security event timeline
Network Indicators:
- Not applicable - physical access vulnerability
SIEM Query:
Search for: (event_source="nShield HSM" AND event_type="tamper") | stats count by hour | where count=0