Summary
The tested nShield Connect XC HSM appliance can be rooted and backdoored via physical attack vectors in less than 5 minutes without leaving visible traces or triggering tamper events. There are multiple ways to modify the appliance without leaving any traces. These modifications lead to persistent, undetectable, and unrecoverable compromise of the appliance.
Vulnerability Listings
F01 Cosmo: Front USB port can be enabled at any time including during boot without triggering a tamper event | CVE-2025-59705
Summary
An attacker with physical access can enable USB access during boot. This can be used to gain root access to the appliance and subsequently persist on the device indefinitely and undetectably. This attack does not trigger a tamper event or any other protections, does not damage any components and does not leave any visible traces.
Proof of Concept
- Connect to the pin
- Thin wires fit through multiple holes in the port, there are several ways to reach the pin (see red arrows in the image above).
- The simplest way to make this attack repeatable is to take a robust wire that is still thin enough to fit through the holes, or a thin needle, and bend it into the right shape to reach the pin on a test device.
- The correct insertion depth and orientation can then be marked on this basic tool after it has successfully been connected to the pin.
- This tool can then be used on other devices of the same model. Both the USB port and the pin are on the same PCB, meaning that there might be small differences in the required insertion depth, but the tool will get very close by default and can then be adjusted.
- More complex 3D-printed tools with micropositioning features can make this attack significantly faster and more reliable.
- The connection to the correct pin can be tested with a multimeter. A successful connection shows 3.3V when the device is running and 0V when it is turned off or booting. It's connected to ground with a 10k pull-down resistor that can also be tested for and draws 62mA when powered while the device is off or booting.
- The front screws provide a reliable connection to ground.
- Pull the pin up to 3.3V (In our attempts, the PSU shows 62mA being drawn if the connection is successful)
- Plug in a keyboard to the front USB port
- Boot the HSM
- Hit c repeatedly on boot (right after the HSM beeps) to enter the grub shell
- Press enter to start a new prompt
- Type "reboot" and press enter
- The HSM will beep again at POST, you can repeat the steps above indefinitely.
F02 Cosmo: Firmware and storage can be read and modified via JTAG | CVE-2025-59693
Summary
An attacker with physical access (enabled by F14) can open the chassis and access the JTAG connector located on the Cosmo board to read and modify the firmware of the ARM SoC on the board as well as modify or clear the tamper log stored on the attached EEPROM (see F05). This enables an attacker to open the chassis without leaving any traces, and thereby allows access to other internals such as the unencrypted SSD.
Further Analysis
No protections provided by the ARM SoC are active, JTAG allows access to internal flash, sram, etc. This allows an attacker to modify the firmware without any restrictions. The cosmo board exposes a standard JTAG header.
F03 Cosmo: Unprotected boot chain | CVE-2025-59694
Summary
An attacker with access to Cosmo can persistently modify firmware, there are no protections such as secure boot in place. An attacker with control over Cosmo can influence the appliance boot process, gain full control over chassis tamper events, can control what is displayed on the front LCD and can enable or disable front USB at any time.
Further Analysis
Modifying the firmware of Cosmo by either:
- Opening the appliance (F14), modifying the firmware (F02) directly via JTAG
- Via root access on the appliance, using the upgrade process (F04)
Is not detectable by the appliance or the end user. The appliance has no way of verifying the integrity of the Cosmo firmware or that a firmware reset/upgrade has actually happened. This makes any modification to the Cosmo firmware persistent and undetectable.
F04 Cosmo: Unverified firmware upgrades | CVE-2025-59695
Summary
An attacker with root access to the appliance can arbitrarily modify cosmo firmware. This attack does not require physical access once root on the appliance has been established and can be executed remotely.
Further Analysis
cosmoupgrade verifies the version number and CRC of the firmware, but does not require any kind of authentication for the firmware.
F05 Cosmo: Unprotected boot chain | CVE-2025-59696
Summary
An attacker with physical access or root access on the Cosmo board can edit tamper events in the log.
Further Analysis
The tamper log is stored on an I2C EEPROM on the cosmo board, its contents are not encrypted. Based on an I2C dump, the tamper log was extracted with a custom script:
The tamper log can be parsed with parseTamperLog.py, the output for the log above is shown below and identical with the log view on the LCD of the device:
$ python3 parseTamperLog.py
2023-11-15 17:54:11 Log reset
2024-06-06 10:38:31 Tamper
2024-06-14 13:59:02 Tamper
2024-06-14 14:54:41 Tamper
2024-06-14 14:55:08 Tamper
2024-06-14 15:16:48 Tamper
2024-06-26 12:25:27 Tamper
F06 Appliance: GRUB is not secured | CVE-2025-59697
Summary
An attacker who can enable front USB during boot or access the internal USB port can get root access to the appliance by editing the kernel arguments.
Further Analysis
When booting normally (not in maintenance mode), GRUB can be entered by repeatedly pressing 'e' or 'c', no password is required. Adding init=/bin/sh causes the device appliance to start a root shell on boot without requiring any authentication.
F07 Appliance: EOL software with known vulnerabilities (GRUB 0.97) | CVE-2025-59698
Summary:
An attacker who can enable front USB during boot or otherwise gain access to the bootloader can use known vulnerabilities to attack the bootloader.
Further Analysis
The appliance uses GRUB 0.97, which reached EOL and does not receive any fixes to reported vulnerabilities such as CVE-2023-4949 (CVSS 8.1).
F08 Appliance: Boot from USB without authentication or verification | CVE-2025-59699
Summary:
An attacker who can enable front USB during boot or access the internal USB port can get root access to the appliance by attaching a usb-drive that has a valid root filesystem on partition number 5. No further interaction is required to exploit this vulnerability.
Further Analysis
The grub kernel argument points root to /dev/sda5 instead of using the UUID of the drive. If a USB-drive is present when the kernel boots, it is enumerated first and assigned /dev/sda, causing the kernel on the internal disk to boot with the usb-drive partition sda5 as root file system.
F10 Appliance: Recovery partition can be edited | CVE-2025-59700
Summary:
An attacker with root access can edit the recovery partition of the appliance. This can be used to persist across factory resets.
Proof of Concept:
- Press "e" during boot (enable front USB for this as described above)
- Add
init=/bin/sh to the kernel parameters and press "b" to boot
- In the root shell, execute "
mount /dev/sda1 /mnt" to view and edit anything on the recovery partition.
F11 Appliance SSD is not encrypted and not verified | CVE-2025-59701
Summary:
An attacker with access to the SSD can read and modify any data on the SSD, including the operating system, configuration settings, etc. enabling an attacker to stealthily compromise the appliance and its recovery mechanisms.
F12 Appliance: Tamper log output can be modified | CVE-2025-59702
Summary:
An attacker with root access to the appliance (or write access to the SSD) can modify how the tamper log is displayed, including hiding any or all entries. The LCD is the only way for the tamper log to be read by the user.
Further Analysis:
Patching of /opt/nfast/sbin/netui is sufficient to show an empty tamper log irrespective of the actual state.
It is noteworthy that only the appliance needs to be compromised for this exploit. Modifying the Cosmo firmware (F02, F04) is another way of achieving the same result.
F14 Tamper label can be removed without damaging it | CVE-2025-59703
Summary:
The tamper evident label of the nShield HSM can be removed with inexpensive, easily accessible, and basic tools (isopropanol and a sharp knife) without leaving traces on either the HSM or the label.
Further Analysis
Isopropanol can be used to dissolve the tamper evident sticker's glue without causing the "tamper" markings to appear. Pictures of the first attempt are shown below. Care must be taken to not expose the holographic stripe to isopropanol for too long, as the isopropanol will dissolve the holographic stripe. This can be easily avoided, as the holographic stripe is only on the top side of the label. The two types of damage (small crease from bending the label too much and partial removal of the holographic strip) can be easily avoided with the experience gained from this first attempt.
F15 Appliance: BIOS setup not secured | CVE-2025-59704
Summary:
An attacker with access to a USB port that is enabled during boot can enter the BIOS setup and edit security relevant settings such as whether to boot into an EFI-Shell on a connected disk, which grants highly privileged access to the system. BIOS Administrator access does not require a password.
Further Analysis
Press "Del" to enter the Setup as Administrator. Available settings are very limited, but include disabling VT-d, enabling PCIe Option ROMs and changing the boot drive.
Timeline
Date reported: 06/23/2025
Date fixed: 08/22/2025
Date disclosed: 09/22/2025
Credits: Daniel Burian, Michael Wünsch
Summary
The tested nShield Connect XC HSM appliance can be rooted and backdoored via physical attack vectors in less than 5 minutes without leaving visible traces or triggering tamper events. There are multiple ways to modify the appliance without leaving any traces. These modifications lead to persistent, undetectable, and unrecoverable compromise of the appliance.
Vulnerability Listings
F01 Cosmo: Front USB port can be enabled at any time including during boot without triggering a tamper event | CVE-2025-59705
Summary
An attacker with physical access can enable USB access during boot. This can be used to gain root access to the appliance and subsequently persist on the device indefinitely and undetectably. This attack does not trigger a tamper event or any other protections, does not damage any components and does not leave any visible traces.
Proof of Concept
F02 Cosmo: Firmware and storage can be read and modified via JTAG | CVE-2025-59693
Summary
An attacker with physical access (enabled by F14) can open the chassis and access the JTAG connector located on the Cosmo board to read and modify the firmware of the ARM SoC on the board as well as modify or clear the tamper log stored on the attached EEPROM (see F05). This enables an attacker to open the chassis without leaving any traces, and thereby allows access to other internals such as the unencrypted SSD.
Further Analysis
No protections provided by the ARM SoC are active, JTAG allows access to internal flash, sram, etc. This allows an attacker to modify the firmware without any restrictions. The cosmo board exposes a standard JTAG header.
F03 Cosmo: Unprotected boot chain | CVE-2025-59694
Summary
An attacker with access to Cosmo can persistently modify firmware, there are no protections such as secure boot in place. An attacker with control over Cosmo can influence the appliance boot process, gain full control over chassis tamper events, can control what is displayed on the front LCD and can enable or disable front USB at any time.
Further Analysis
Modifying the firmware of Cosmo by either:
Is not detectable by the appliance or the end user. The appliance has no way of verifying the integrity of the Cosmo firmware or that a firmware reset/upgrade has actually happened. This makes any modification to the Cosmo firmware persistent and undetectable.
F04 Cosmo: Unverified firmware upgrades | CVE-2025-59695
Summary
An attacker with root access to the appliance can arbitrarily modify cosmo firmware. This attack does not require physical access once root on the appliance has been established and can be executed remotely.
Further Analysis
cosmoupgradeverifies the version number and CRC of the firmware, but does not require any kind of authentication for the firmware.F05 Cosmo: Unprotected boot chain | CVE-2025-59696
Summary
An attacker with physical access or root access on the Cosmo board can edit tamper events in the log.
Further Analysis
The tamper log is stored on an I2C EEPROM on the cosmo board, its contents are not encrypted. Based on an I2C dump, the tamper log was extracted with a custom script:
The tamper log can be parsed with parseTamperLog.py, the output for the log above is shown below and identical with the log view on the LCD of the device:
F06 Appliance: GRUB is not secured | CVE-2025-59697
Summary
An attacker who can enable front USB during boot or access the internal USB port can get root access to the appliance by editing the kernel arguments.
Further Analysis
When booting normally (not in maintenance mode), GRUB can be entered by repeatedly pressing 'e' or 'c', no password is required. Adding init=/bin/sh causes the device appliance to start a root shell on boot without requiring any authentication.
F07 Appliance: EOL software with known vulnerabilities (GRUB 0.97) | CVE-2025-59698
Summary:
An attacker who can enable front USB during boot or otherwise gain access to the bootloader can use known vulnerabilities to attack the bootloader.
Further Analysis
The appliance uses GRUB 0.97, which reached EOL and does not receive any fixes to reported vulnerabilities such as CVE-2023-4949 (CVSS 8.1).
F08 Appliance: Boot from USB without authentication or verification | CVE-2025-59699
Summary:
An attacker who can enable front USB during boot or access the internal USB port can get root access to the appliance by attaching a usb-drive that has a valid root filesystem on partition number 5. No further interaction is required to exploit this vulnerability.
Further Analysis
The grub kernel argument points root to /dev/sda5 instead of using the UUID of the drive. If a USB-drive is present when the kernel boots, it is enumerated first and assigned /dev/sda, causing the kernel on the internal disk to boot with the usb-drive partition sda5 as root file system.
F10 Appliance: Recovery partition can be edited | CVE-2025-59700
Summary:
An attacker with root access can edit the recovery partition of the appliance. This can be used to persist across factory resets.
Proof of Concept:
init=/bin/shto the kernel parameters and press "b" to bootmount /dev/sda1 /mnt" to view and edit anything on the recovery partition.F11 Appliance SSD is not encrypted and not verified | CVE-2025-59701
Summary:
An attacker with access to the SSD can read and modify any data on the SSD, including the operating system, configuration settings, etc. enabling an attacker to stealthily compromise the appliance and its recovery mechanisms.
F12 Appliance: Tamper log output can be modified | CVE-2025-59702
Summary:
An attacker with root access to the appliance (or write access to the SSD) can modify how the tamper log is displayed, including hiding any or all entries. The LCD is the only way for the tamper log to be read by the user.
Further Analysis:
Patching of
/opt/nfast/sbin/netuiis sufficient to show an empty tamper log irrespective of the actual state.It is noteworthy that only the appliance needs to be compromised for this exploit. Modifying the Cosmo firmware (F02, F04) is another way of achieving the same result.
F14 Tamper label can be removed without damaging it | CVE-2025-59703
Summary:
The tamper evident label of the nShield HSM can be removed with inexpensive, easily accessible, and basic tools (isopropanol and a sharp knife) without leaving traces on either the HSM or the label.
Further Analysis
Isopropanol can be used to dissolve the tamper evident sticker's glue without causing the "tamper" markings to appear. Pictures of the first attempt are shown below. Care must be taken to not expose the holographic stripe to isopropanol for too long, as the isopropanol will dissolve the holographic stripe. This can be easily avoided, as the holographic stripe is only on the top side of the label. The two types of damage (small crease from bending the label too much and partial removal of the holographic strip) can be easily avoided with the experience gained from this first attempt.
F15 Appliance: BIOS setup not secured | CVE-2025-59704
Summary:
An attacker with access to a USB port that is enabled during boot can enter the BIOS setup and edit security relevant settings such as whether to boot into an EFI-Shell on a connected disk, which grants highly privileged access to the system. BIOS Administrator access does not require a password.
Further Analysis
Press "Del" to enter the Setup as Administrator. Available settings are very limited, but include disabling VT-d, enabling PCIe Option ROMs and changing the boot drive.
Timeline
Date reported: 06/23/2025
Date fixed: 08/22/2025
Date disclosed: 09/22/2025
Credits: Daniel Burian, Michael Wünsch