Overview
CVE-2025-59699 describes a security vulnerability in Entrust nShield Connect XC, nShield 5c, and nShield HSMi devices through version 13.6.11, or 13.7. This flaw allows a physically proximate attacker with access to the HSM to escalate privileges to root by booting the device from a USB drive containing a valid root filesystem. The vulnerability stems from insecure default settings in the Legacy GRUB Bootloader configuration.
Technical Details
The core issue resides in the default configuration of the Legacy GRUB bootloader used by the affected Entrust nShield HSMs. The default configuration permits booting from external media, specifically USB drives. An attacker with physical access can exploit this by creating a USB drive with a malicious or compromised root filesystem. Upon booting the HSM from this USB drive, the attacker gains root-level access to the system, effectively bypassing the intended security measures of the HSM. The lack of proper boot verification and secure boot configuration is the root cause.
CVSS Analysis
Currently, a CVSS score and severity rating are not available for CVE-2025-59699 (N/A). However, due to the potential for complete compromise of the HSM’s security and the need for only physical access, it’s highly recommended to treat this vulnerability as high risk. A CVSS score will likely be assigned as further information becomes available from Entrust and other security research organizations.
Possible Impact
The successful exploitation of CVE-2025-59699 can have severe consequences. An attacker gaining root access to the HSM can:
- Extract sensitive cryptographic keys stored within the HSM.
- Manipulate the HSM’s configuration and security policies.
- Compromise the integrity of cryptographic operations performed by the HSM.
- Potentially use the compromised HSM as a pivot point to attack other systems on the network.
This can lead to data breaches, financial losses, and reputational damage for organizations relying on the affected Entrust nShield HSMs.
Mitigation or Patch Steps
Entrust has likely released or will release a patch to address this vulnerability. Immediately apply the provided patch from Entrust. Mitigation steps may include:
- Apply the latest firmware update from Entrust: This should address the insecure default settings in the Legacy GRUB Bootloader.
- Disable USB Boot: If possible, disable booting from USB devices in the HSM’s BIOS or bootloader settings. Consult Entrust’s documentation for instructions.
- Physical Security: Implement strict physical security measures to prevent unauthorized access to the HSMs.
- Bootloader Security: Enforce bootloader password protection and consider disabling legacy boot options where applicable, after careful consideration of the impact on system recovery procedures.
Contact Entrust support for specific guidance on securing your nShield HSM deployment.
