CVE-2025-59703
📋 TL;DR
This vulnerability allows a physically proximate attacker to access internal components of Entrust nShield HSM appliances without leaving tamper evidence, potentially compromising cryptographic keys and security functions. It affects nShield Connect XC, nShield 5c, and nShield HSMi devices. Attackers need physical access to remove tamper labels and screws without damage (F14 attack).
💻 Affected Systems
- Entrust nShield Connect XC
- Entrust nShield 5c
- Entrust nShield HSMi
📦 What is this software?
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of cryptographic keys stored in the HSM, enabling decryption of protected data, forging digital signatures, and bypassing all security controls dependent on the HSM.
Likely Case
Physical theft or tampering with the device to extract sensitive cryptographic material, leading to data breaches and loss of cryptographic integrity.
If Mitigated
Limited impact if devices are in physically secure environments with strict access controls and tamper monitoring.
🎯 Exploit Status
Exploitation requires physical access, specialized tools, and knowledge to remove tamper labels and screws without damage. No authentication or network access needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 13.6.11 and 13.7
Vendor Advisory: https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj
Restart Required: Yes
Instructions:
1. Contact Entrust support for updated firmware. 2. Schedule maintenance window. 3. Backup HSM configuration. 4. Apply firmware update following vendor instructions. 5. Verify tamper seals are intact post-update.
🔧 Temporary Workarounds
Enhanced Physical Security Controls
allImplement strict physical access controls and monitoring for HSM locations
Tamper Evidence Enhancement
allApply additional tamper-evident seals and implement regular physical inspection procedures
🧯 If You Can't Patch
- Deploy HSMs in physically secure locations with 24/7 surveillance, access logs, and intrusion detection
- Implement additional tamper-evident mechanisms and conduct regular physical inspections of devices
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via HSM management interface or console. Versions 13.6.11 and earlier, or 13.7 are vulnerable.Check Version:
Use nShield management tools: 'nfast status' or check via HSM management GUIVerify Fix Applied:
Verify firmware version is updated beyond vulnerable versions and check that tamper monitoring systems report no breaches.📡 Detection & Monitoring
Log Indicators:
- Tamper alarm events in HSM logs
- Physical access control system alerts for HSM location
- Unexpected HSM reboots or state changes
Network Indicators:
- None - this is a physical attack
SIEM Query:
source="hsm_logs" AND (event_type="tamper" OR event_type="physical_breach")