{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14858", "assignerOrgId": "747bec18-acd0-4d99-a5c8-5e366c66ab7e", "state": "PUBLISHED", "assignerShortName": "SWI", "dateReserved": "2025-12-18T00:09:38.279Z", "datePublished": "2026-04-07T19:57:43.422Z", "dateUpdated": "2026-04-07T20:42:41.321Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "747bec18-acd0-4d99-a5c8-5e366c66ab7e", "shortName": "SWI", "dateUpdated": "2026-04-07T19:57:43.422Z"}, "title": "Semtech LR11xx Encrypted Firmware Disclosure", "datePublic": "2026-04-06T18:07:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-226", "description": "CWE-226 Sensitive Information in Resource Not Removed Before Reuse", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "affected": [{"vendor": "Semtech", "product": "LR1110", "modules": ["firmware"], "versions": [{"status": "affected", "version": "0", "lessThan": "TRX FW 0x0402", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Semtech", "product": "LR1120", "versions": [{"status": "affected", "version": "0", "lessThan": "TRX FW 0x0202", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Semtech", "product": "LR1121", "versions": [{"status": "affected", "version": "0", "lessThan": "TRX FW 0x0104", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:semtech:lr1110:*:*:*:*:*:*:*:*", "versionEndExcluding": "trx_fw_0x0402", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:semtech:lr1120:*:*:*:*:*:*:*:*", "versionEndExcluding": "trx_fw_0x0202", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:semtech:lr1121:*:*:*:*:*:*:*:*", "versionEndExcluding": "trx_fw_0x0104", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "value": "The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface.<br>"}]}], "references": [{"url": "https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NO", "Recovery": "AUTOMATIC", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:C/RE:M"}}], "credits": [{"lang": "en", "value": "Egor (radioegor146) Koleda, https://github.com/radioegor146", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14858", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T20:31:31.087152Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T20:42:41.321Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14858", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T20:31:31.087152Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T20:37:57.438Z"}}], "cna": {"title": "Semtech LR11xx Encrypted Firmware Disclosure", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Egor (radioegor146) Koleda, https://github.com/radioegor146"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 5.1, "Automatable": "NO", "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:C/RE:M", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Semtech", "modules": ["firmware"], "product": "LR1110", "versions": [{"status": "affected", "version": "0", "lessThan": "TRX FW 0x0402", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Semtech", "product": "LR1120", "versions": [{"status": "affected", "version": "0", "lessThan": "TRX FW 0x0202", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Semtech", "product": "LR1121", "versions": [{"status": "affected", "version": "0", "lessThan": "TRX FW 0x0104", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-06T18:07:00.000Z", "references": [{"url": "https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface.", "supportingMedia": [{"type": "text/html", "value": "The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-226", "description": "CWE-226 Sensitive Information in Resource Not Removed Before Reuse"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:semtech:lr1110:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "trx_fw_0x0402", "versionStartIncluding": "0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:semtech:lr1120:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "trx_fw_0x0202", "versionStartIncluding": "0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:semtech:lr1121:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "trx_fw_0x0104", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "747bec18-acd0-4d99-a5c8-5e366c66ab7e", "shortName": "SWI", "dateUpdated": "2026-04-07T19:57:43.422Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14858", "state": "PUBLISHED", "dateUpdated": "2026-04-07T20:42:41.321Z", "dateReserved": "2025-12-18T00:09:38.279Z", "assignerOrgId": "747bec18-acd0-4d99-a5c8-5e366c66ab7e", "datePublished": "2026-04-07T19:57:43.422Z", "assignerShortName": "SWI"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface."}], "id": "CVE-2025-14858", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:C/RE:M/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "source": "security@sierrawireless.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:22.397", "references": [{"source": "security@sierrawireless.com", "url": "https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001"}], "sourceIdentifier": "security@sierrawireless.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-226"}], "source": "security@sierrawireless.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,TRX FW 0x0402)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "LR1110", "source": "cna", "vendor": "Semtech"}, "product": "lr1110", "vendor": "semtech"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,TRX FW 0x0202)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "LR1120", "source": "cna", "vendor": "Semtech"}, "product": "lr1120", "vendor": "semtech"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,TRX FW 0x0104)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "LR1121", "source": "cna", "vendor": "Semtech"}, "product": "lr1121", "vendor": "semtech"}], "analysis": {"en": {"generated_at": "2026-04-07T21:20:32.417951+00:00", "value": {"mitigation_remediation": ["Apply the firmware update recommended in Semtech\u2019s security bulletin for the LR1110, LR1120, and LR1121 transceivers.", "Secure the SPI interface by restricting physical access or applying access controls such as cable locks or port shielding.", "Consider disabling unused SPI pins or implementing a protected memory region that clears decrypted data after use if firmware upgrade is not immediately possible.", "Monitor device logs for anomalous SPI read activity that may indicate exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure of Encrypted Firmware"}, "threat_synthesis": {"affected_systems": "Semtech LR1110, Semtech LR1120, and Semtech LR1121 transceivers running early firmware versions are affected. The specific firmware releases that contain the flaw are not enumerated in the public advisory, but the problem has been identified in the earliest builds of these boards.", "description_and_impact": "The vulnerability lies in the firmware validation routine of Semtech LR11xx LoRa transceivers. During a firmware validity check over the SPI interface, the device decrypts encrypted firmware blocks one by one. Unfortunately, the final decrypted block is not cleared from memory after validation completes, leaving residual data that can be read by subsequent memory read operations. This flaw effectively bypasses the encryption protection on firmware, allowing an attacker to retrieve confidential firmware contents and potentially compromise device integrity. The weakness corresponds to CWE\u2011226, a failure to properly delete or overwrite intermediate state data.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity, and no EPSS data or KEV listing is available. This flaw is local; an attacker needs physical access to the device\u2019s SPI interface to trigger decryption and extract memory contents. Because the attack does not rely on network or remote interfaces, exploitation risk is confined to environments where physical compromise is feasible. Nevertheless, recovery of the decrypted firmware can aid future attacks, so the vulnerability should be remediated promptly."}}}}, "created": "2026-04-08T19:34:27.655962+00:00", "updated": "2026-04-08T19:45:56.431128+00:00", "vendors": ["semtech", "semtech$PRODUCT$lr1110", "semtech$PRODUCT$lr1120", "semtech$PRODUCT$lr1121"]}