CVE-2025-59705
📋 TL;DR
This vulnerability allows a physically proximate attacker to escalate privileges on Entrust nShield hardware security modules by inserting a chassis probe during system boot, which reactivates the disabled USB interface. This affects nShield Connect XC, nShield 5c, and nShield HSMi devices. Attackers with physical access to the hardware can bypass security controls.
💻 Affected Systems
- Entrust nShield Connect XC
- Entrust nShield 5c
- Entrust nShield HSMi
📦 What is this software?
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc Base Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc High Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
Nshield Connect Xc Mid Firmware by Entrust
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative control of the HSM, potentially extracting cryptographic keys, manipulating security operations, or disabling the device entirely.
Likely Case
Attacker enables USB interface to load malicious firmware or execute unauthorized commands, compromising the HSM's security functions.
If Mitigated
With proper physical security controls, the attack surface is significantly reduced as physical access is required.
🎯 Exploit Status
Exploitation requires physical access and precise timing during boot process. No authentication is needed once physical access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 13.6.11 and 13.7
Vendor Advisory: https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj
Restart Required: Yes
Instructions:
1. Contact Entrust support for updated firmware. 2. Backup HSM configuration and keys. 3. Apply firmware update following vendor instructions. 4. Verify update completion and functionality.
🔧 Temporary Workarounds
Enhanced Physical Security
allRestrict physical access to HSM devices through locked server rooms, surveillance, and access controls.
Boot Process Monitoring
allMonitor boot sequences and alert on unexpected reboots or physical tampering indicators.
🧯 If You Can't Patch
- Implement strict physical access controls to server rooms containing HSMs
- Deploy tamper-evident seals and monitor for physical tampering
🔍 How to Verify
Check if Vulnerable:
Check HSM firmware version via management interface or CLI. Vulnerable if version is 13.6.11 or earlier, or exactly 13.7.Check Version:
nshieldsysinfo (specific command may vary by management interface)Verify Fix Applied:
Verify firmware version is updated beyond vulnerable versions (after 13.6.11 or 13.7). Test USB interface remains disabled during boot.📡 Detection & Monitoring
Log Indicators:
- Unexpected system reboots
- USB interface activation events
- Physical tamper alerts
Network Indicators:
- Unusual management interface activity post-reboot
SIEM Query:
source="hsm_logs" AND (event="reboot" OR event="usb_enable" OR event="tamper_detected")