CVE-2025-59697
📋 TL;DR
This vulnerability allows a physically proximate attacker to edit the Legacy GRUB bootloader configuration on affected Entrust nShield HSM devices, enabling them to start a root shell upon boot and escalate privileges. It affects nShield Connect XC, nShield 5c, and nShield HSMi devices. Attackers need physical access to the device to exploit this.
💻 Affected Systems
- Entrust nShield Connect XC
- Entrust nShield 5c
- Entrust nShield HSMi
📦 What is this software?
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
⚠️ Risk & Real-World Impact
Worst Case
An attacker with physical access gains full root privileges on the HSM host OS, potentially compromising cryptographic keys and sensitive operations.
Likely Case
Unauthorized physical access leads to privilege escalation, allowing attackers to manipulate HSM configurations or extract sensitive data.
If Mitigated
With proper physical security controls, the risk is minimal as exploitation requires direct physical interaction.
🎯 Exploit Status
Exploitation involves editing GRUB configuration during boot, which is straightforward with physical access. Public details are available in Google's security advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 13.6.11 and 13.7 (check vendor for specific fixed versions)
Vendor Advisory: https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj
Restart Required: Yes
Instructions:
1. Check current HSM firmware version. 2. Contact Entrust support for patched firmware. 3. Apply firmware update following vendor instructions. 4. Reboot the HSM device to activate changes.
🔧 Temporary Workarounds
Secure Boot Configuration
linuxImplement secure boot mechanisms to prevent unauthorized GRUB edits, such as password-protecting GRUB or using UEFI Secure Boot.
Edit /etc/default/grub to set GRUB_PASSWORD or similar, then run update-grub
Physical Security Controls
allEnhance physical security around HSM devices to restrict access to authorized personnel only.
🧯 If You Can't Patch
- Implement strict physical access controls (e.g., locked server racks, surveillance) to prevent unauthorized proximity.
- Monitor boot logs for unusual GRUB configuration changes or unauthorized access attempts.
🔍 How to Verify
Check if Vulnerable:
Check HSM firmware version via vendor-specific commands or management interface; if version is 13.6.11 or earlier, or 13.7, it is vulnerable.Check Version:
Use Entrust nShield management tools or CLI commands specific to the device model (e.g., nfkminfo on Linux hosts).Verify Fix Applied:
After patching, verify firmware version is updated beyond affected ranges and test that GRUB configuration cannot be edited without authentication.📡 Detection & Monitoring
Log Indicators:
- Unexpected GRUB configuration changes in boot logs
- Physical access logs showing unauthorized entry to HSM locations
Network Indicators:
- None - this is a physical access exploit
SIEM Query:
Search for events like 'GRUB edit' or 'boot configuration modified' in system logs, combined with physical access alerts.