CVE-2025-14859

Summary

The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device.

Affected Software

VendorProductVersion RangeStatus
SemtechLR11100 < BL2 FW 0x1001affected
SemtechLR11200 < BL2 FW 0x2001affected
SemtechLR11210 < BL2 FW 0x2101affected

Weaknesses

  • CWE-327: CWE-327 Use of a Broken or Risky Cryptographic Algorithm

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References