Cyber Posture

CVE-2025-59695

CriticalPublic PoC

Published: 02 December 2025

Published
02 December 2025
Modified
15 December 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a user with OS root access to alter firmware on the Chassis Management Board (without Authentication). This is called F04.

Mitigating Controls (NIST 800-53 r5)AI

SI-7 Software, Firmware, and Information Integrity good match
detectrespond

Performs integrity verification of firmware on the Chassis Management Board to detect and respond to unauthorized alterations by users with root access.

AC-6 Least Privilege good match
prevent

Enforces least privilege on the host OS to prevent attackers from obtaining root access required to exploit the firmware alteration vulnerability.

CM-5 Access Restrictions for Change good match
prevent

Restricts and documents access to changes on HSM components like the Chassis Management Board firmware, mitigating unauthorized modifications even with root privileges.

Security SummaryAI

CVE-2025-59695 is a critical vulnerability in Entrust nShield Connect XC, nShield 5c, and nShield HSMi hardware security modules through firmware versions 13.6.11 or 13.7. It enables a user with OS root access to alter firmware on the Chassis Management Board without authentication, an issue tracked as F04 and mapped to CWE-306 (Missing Authentication for Critical Function). The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severity due to network accessibility, low attack complexity, and high impacts across confidentiality, integrity, and availability.

An attacker with root access on the host operating system can exploit this flaw remotely without additional privileges, user interaction, or authentication checks on the Chassis Management Board. Successful exploitation allows arbitrary firmware modification, potentially compromising the HSM's security functions, such as cryptographic key management and attestation.

Advisories are available in the Google security research advisory at https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj and Entrust's HSM documentation at https://www.entrust.com/use-case/why-use-an-hsm. The CVE was published on 2025-12-02T15:15:55.010.

Details

CWE(s)
CWE-306

Affected Products

entrust
nshield 5c firmware
≤ 13.6.12 · 13.7.3 — 13.9.0
entrust
nshield hsmi firmware
≤ 13.6.12 · 13.7.3 — 13.9.0
entrust
nshield connect xc base firmware
≤ 13.6.12 · 13.7.3 — 13.9.0
entrust
nshield connect xc mid firmware
≤ 13.6.12 · 13.7.3 — 13.9.0
entrust
nshield connect xc high firmware
≤ 13.6.12 · 13.7.3 — 13.9.0

MITRE ATT&CK Enterprise TechniquesAI

T1685.006 Clear Linux or Mac System Logs Defense Impairment
Adversaries may clear system logs to hide evidence of an intrusion.
attack.mitre.org →
T1542.002 Component Firmware Stealth
Adversaries may modify component firmware to persist on systems.
attack.mitre.org →
Why these techniques?

CVE-2025-59695 and related flaws (F02-F05) enable root users to modify Chassis Management Board firmware without authentication (T1542.002: Component Firmware) and edit unencrypted tamper logs (T1070.002: Clear Linux or Mac System Logs), facilitating undetectable persistence and indicator removal.

References