{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14859", "assignerOrgId": "747bec18-acd0-4d99-a5c8-5e366c66ab7e", "state": "PUBLISHED", "assignerShortName": "SWI", "dateReserved": "2025-12-18T00:09:40.606Z", "datePublished": "2026-04-07T19:58:41.379Z", "dateUpdated": "2026-04-07T20:42:41.142Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "747bec18-acd0-4d99-a5c8-5e366c66ab7e", "shortName": "SWI", "dateUpdated": "2026-04-07T19:58:41.379Z"}, "title": "Semtech LR11xx Secure Boot Bypass", "datePublic": "2026-04-06T18:07:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-327", "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-68", "descriptions": [{"lang": "en", "value": "CAPEC-68 Subvert Code-signing"}]}], "affected": [{"vendor": "Semtech", "product": "LR1110", "modules": ["firmware"], "versions": [{"status": "affected", "version": "0", "lessThan": "BL2 FW 0x1001", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Semtech", "product": "LR1120", "versions": [{"status": "affected", "version": "0", "lessThan": "BL2 FW 0x2001", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Semtech", "product": "LR1121", "versions": [{"status": "affected", "version": "0", "lessThan": "BL2 FW 0x2101", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:semtech:lr1110:*:*:*:*:*:*:*:*", "versionEndExcluding": "bl2_fw_0x1001", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:semtech:lr1120:*:*:*:*:*:*:*:*", "versionEndExcluding": "bl2_fw_0x2001", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:semtech:lr1121:*:*:*:*:*:*:*:*", "versionEndExcluding": "bl2_fw_0x2101", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "value": "The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device.\n\n<br>"}]}], "references": [{"url": "https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NO", "Recovery": "IRRECOVERABLE", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7, "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/AU:N/R:I/V:C/RE:M"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14859", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T20:31:39.343091Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T20:42:41.142Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14859", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T20:31:39.343091Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T20:37:44.923Z"}}], "cna": {"title": "Semtech LR11xx Secure Boot Bypass", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-68", "descriptions": [{"lang": "en", "value": "CAPEC-68 Subvert Code-signing"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "IRRECOVERABLE", "baseScore": 7, "Automatable": "NO", "attackVector": "PHYSICAL", "baseSeverity": "HIGH", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/AU:N/R:I/V:C/RE:M", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Semtech", "modules": ["firmware"], "product": "LR1110", "versions": [{"status": "affected", "version": "0", "lessThan": "BL2 FW 0x1001", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Semtech", "product": "LR1120", "versions": [{"status": "affected", "version": "0", "lessThan": "BL2 FW 0x2001", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Semtech", "product": "LR1121", "versions": [{"status": "affected", "version": "0", "lessThan": "BL2 FW 0x2101", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-06T18:07:00.000Z", "references": [{"url": "https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device.", "supportingMedia": [{"type": "text/html", "value": "The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device.\n\n<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-327", "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:semtech:lr1110:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "bl2_fw_0x1001", "versionStartIncluding": "0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:semtech:lr1120:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "bl2_fw_0x2001", "versionStartIncluding": "0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:semtech:lr1121:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "bl2_fw_0x2101", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "747bec18-acd0-4d99-a5c8-5e366c66ab7e", "shortName": "SWI", "dateUpdated": "2026-04-07T19:58:41.379Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14859", "state": "PUBLISHED", "dateUpdated": "2026-04-07T20:42:41.142Z", "dateReserved": "2025-12-18T00:09:40.606Z", "assignerOrgId": "747bec18-acd0-4d99-a5c8-5e366c66ab7e", "datePublished": "2026-04-07T19:58:41.379Z", "assignerShortName": "SWI"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device."}], "id": "CVE-2025-14859", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "IRRECOVERABLE", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:I/V:C/RE:M/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "source": "security@sierrawireless.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:22.590", "references": [{"source": "security@sierrawireless.com", "url": "https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001"}], "sourceIdentifier": "security@sierrawireless.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "security@sierrawireless.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,BL2 FW 0x1001)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "LR1110", "source": "cna", "vendor": "Semtech"}, "product": "lr1110", "vendor": "semtech"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,BL2 FW 0x2001)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "LR1120", "source": "cna", "vendor": "Semtech"}, "product": "lr1120", "vendor": "semtech"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,BL2 FW 0x2101)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "LR1121", "source": "cna", "vendor": "Semtech"}, "product": "lr1121", "vendor": "semtech"}], "analysis": {"en": {"generated_at": "2026-04-07T21:20:19.590683+00:00", "value": {"mitigation_remediation": ["Download and install the latest firmware release from Semtech that corrects the hashing implementation, as referenced in the Semtech security bulletin.", "Verify the integrity of the installed firmware using the vendor\u2019s verification tools to ensure the new image is authentic and untampered.", "Enforce strict physical security controls on the transceiver devices to prevent unauthorized access and manipulation of firmware."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Firmware"}, "threat_synthesis": {"affected_systems": "Semtech LR1110, LR1120, and LR1121 LoRa transceivers are affected. Firmware versions prior to the latest patch, as identified in the Semtech security bulletin, are vulnerable. No specific release numbers are listed, so all versions should be treated as at risk until a patched firmware is installed.", "description_and_impact": "The vulnerability lies in a non\u2011standard hash function used for secure boot, which is susceptible to second\u2011preimage attacks. An attacker can create malicious firmware that shares the same hash as a legitimate image, causing the device to accept and run it. This enables the deployment of arbitrary, unauthorized code on the hardware, compromising both the integrity of the system and any data it processes.", "risk_and_exploitability": "The CVSS score of 7 indicates a high severity risk, though exploitation requires physical access to the device, limiting the attack surface. The lack of an EPSS score and absence from the KEV catalog mean that known public exploits are not yet documented, but the logical pathway exists for an attacker who can physically interact with the transceiver, making preventive measures essential."}}}}, "created": "2026-04-08T19:34:26.571771+00:00", "updated": "2026-04-08T19:45:55.356726+00:00", "vendors": ["semtech", "semtech$PRODUCT$lr1110", "semtech$PRODUCT$lr1120", "semtech$PRODUCT$lr1121"]}