CVE-2025-59704
📋 TL;DR
This vulnerability allows physical attackers to access the BIOS menu on affected Entrust hardware security modules (HSMs) because the BIOS lacks password protection. Attackers with physical access could potentially compromise the device's firmware or boot process. This affects Entrust nShield Connect XC, nShield 5c, and nShield HSMi devices.
💻 Affected Systems
- Entrust nShield Connect XC
- Entrust nShield 5c
- Entrust nShield HSMi
📦 What is this software?
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
⚠️ Risk & Real-World Impact
Worst Case
An attacker with physical access could flash malicious firmware, extract cryptographic keys, or permanently compromise the HSM, potentially undermining all cryptographic operations it performs.
Likely Case
An attacker with brief physical access could modify BIOS settings to boot from unauthorized media or disable security features, potentially gaining persistent access to the device.
If Mitigated
With proper physical security controls, the impact is minimal as attackers cannot reach the devices.
🎯 Exploit Status
Exploitation requires physical access to press BIOS keys during boot. No authentication or special tools needed beyond physical console access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.6.12 or later, 13.8 or later
Vendor Advisory: https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj
Restart Required: Yes
Instructions:
1. Contact Entrust support for firmware updates. 2. Schedule maintenance window. 3. Apply firmware update following vendor instructions. 4. Verify BIOS password is set post-update.
🔧 Temporary Workarounds
Set BIOS Password
allManually set a BIOS password on affected devices to prevent unauthorized access
Access BIOS during boot (typically Del/F2/F10)
Navigate to Security settings
Set Supervisor Password
Physical Security Controls
allImplement strict physical access controls to prevent unauthorized personnel from reaching HSM devices
🧯 If You Can't Patch
- Implement enhanced physical security: locked racks, surveillance, access logs for HSM locations
- Set BIOS passwords on all affected devices and document them securely
🔍 How to Verify
Check if Vulnerable:
1. Reboot device. 2. Press BIOS key during boot (typically Del/F2/F10). 3. If BIOS menu appears without password prompt, device is vulnerable.Check Version:
Check firmware version via HSM management interface or console (vendor-specific commands)Verify Fix Applied:
1. Reboot device. 2. Attempt to access BIOS. 3. Verify password prompt appears before BIOS menu access.📡 Detection & Monitoring
Log Indicators:
- Physical access logs showing unauthorized personnel near HSM devices
- Unexpected device reboots or power cycles
Network Indicators:
- None - this is a physical access vulnerability
SIEM Query:
Search for physical access control system alerts for HSM locations outside maintenance windows