CVE-2025-59700
📋 TL;DR
This vulnerability allows a physically proximate attacker with root access to modify the Recovery Partition on Entrust nShield HSM devices due to lack of integrity protection. This affects nShield Connect XC, nShield 5c, and nShield HSMi devices. The attack requires physical access and root privileges, limiting its scope to compromised or malicious insiders.
💻 Affected Systems
- Entrust nShield Connect XC
- Entrust nShield 5c
- Entrust nShield HSMi
📦 What is this software?
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
⚠️ Risk & Real-World Impact
Worst Case
An attacker could tamper with the recovery partition to install persistent malware, backdoors, or modified firmware that could compromise the HSM's security functions and cryptographic operations.
Likely Case
Malicious insider or compromised administrator could potentially bypass security controls or establish persistence on the HSM device, though this requires physical access and root privileges.
If Mitigated
With proper physical security controls and privileged access management, the risk is significantly reduced as both physical access and root credentials are required.
🎯 Exploit Status
Exploitation requires physical access to the HSM device and root-level administrative access. The vulnerability is in the recovery partition integrity protection mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 13.6.11 and 13.7
Vendor Advisory: https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj
Restart Required: Yes
Instructions:
1. Contact Entrust support for firmware updates. 2. Schedule maintenance window for HSM firmware upgrade. 3. Backup HSM configuration and keys. 4. Apply firmware update following vendor instructions. 5. Verify integrity of recovery partition post-update.
🔧 Temporary Workarounds
Enhanced Physical Security
allImplement strict physical access controls to HSM devices including locked cabinets, surveillance, and access logging.
Privileged Access Management
allImplement strict root access controls, multi-factor authentication, and privileged session monitoring for HSM administration.
🧯 If You Can't Patch
- Implement strict physical security controls including locked server rooms, surveillance cameras, and access logging for HSM locations.
- Enforce least privilege access controls for HSM administration and implement multi-factor authentication for all privileged accounts.
🔍 How to Verify
Check if Vulnerable:
Check HSM firmware version via administrative interface or CLI. Vulnerable if version is 13.6.11 or earlier, or exactly 13.7.Check Version:
nshieldsysinfo or equivalent HSM administrative command (varies by model and configuration)Verify Fix Applied:
Verify firmware version is updated beyond vulnerable versions and check vendor documentation for recovery partition integrity verification procedures.📡 Detection & Monitoring
Log Indicators:
- Unauthorized physical access to HSM location
- Unexpected root/admin login to HSM management interface
- Recovery partition access or modification events
Network Indicators:
- Unusual administrative access patterns to HSM management interfaces
SIEM Query:
source="hsm_logs" AND (event_type="physical_access" OR user="root" OR partition="recovery")