CVE-2025-59699
📋 TL;DR
This vulnerability allows a physically proximate attacker to boot affected Entrust nShield HSM devices from a USB device with a valid root filesystem, enabling privilege escalation due to insecure default settings in the Legacy GRUB Bootloader. It affects Entrust nShield Connect XC, nShield 5c, and nShield HSMi devices. Attackers must have physical access to the device to exploit this vulnerability.
💻 Affected Systems
- Entrust nShield Connect XC
- Entrust nShield 5c
- Entrust nShield HSMi
📦 What is this software?
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
⚠️ Risk & Real-World Impact
Worst Case
An attacker with physical access gains full administrative control over the HSM device, potentially compromising cryptographic keys and sensitive operations.
Likely Case
Privilege escalation leading to unauthorized access to HSM functions and stored cryptographic material.
If Mitigated
Limited impact if physical access controls prevent unauthorized personnel from accessing devices.
🎯 Exploit Status
Exploitation requires physical access and a prepared USB device with a valid root filesystem.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.6.12 or later, 13.7.1 or later
Vendor Advisory: https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj
Restart Required: Yes
Instructions:
1. Check current firmware version. 2. Download and apply firmware update from Entrust. 3. Reboot the HSM device. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Legacy GRUB Bootloader
allConfigure the bootloader to prevent booting from USB devices.
Consult Entrust documentation for specific bootloader configuration commands
Physical Security Controls
allImplement strict physical access controls to prevent unauthorized personnel from accessing HSM devices.
🧯 If You Can't Patch
- Implement strict physical security controls to prevent unauthorized access to HSM devices.
- Disconnect USB ports or physically block them to prevent booting from USB devices.
🔍 How to Verify
Check if Vulnerable:
Check firmware version via HSM management interface or CLI commands. If version is 13.6.11 or earlier, or 13.7, the device is vulnerable.Check Version:
nshieldsysinfo or consult Entrust management interface documentationVerify Fix Applied:
Verify firmware version is 13.6.12 or later, or 13.7.1 or later. Test booting from USB to confirm it is prevented.📡 Detection & Monitoring
Log Indicators:
- Unauthorized boot attempts from USB devices
- Changes to bootloader configuration
Network Indicators:
- None - this is a physical access vulnerability
SIEM Query:
Search for boot events or unauthorized physical access logs related to HSM devices.