CVE-2025-14857
Received Received - Intake
Improper Access Control in Semtech LR11xxx Enables Limited Code Execution

Publication date: 2026-04-07

Last updated on: 2026-04-07

Assigner: Sierra Wireless Inc.

Description
An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails to enforce write protection on the program call stack. An attacker with physical access to the SPI interface can overwrite stack memory to hijack program control flow and achieve limited arbitrary code execution. However, the impact is limited to the active attack session: the device's secure boot mechanism prevents persistent firmware modification, the crypto engine isolates cryptographic keys from direct firmware access, and all modifications are lost upon device reboot or loss of physical access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14857
EUVD
EUVD-2025-209282
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
semtech lora_lr11xxx *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-123 Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an improper access control issue in Semtech LoRa LR11xxx transceivers running early firmware versions. Specifically, the memory write command accessible via the physical SPI interface does not properly enforce write protection on the program call stack.

An attacker with physical access to the SPI interface can exploit this flaw to overwrite stack memory, hijack the program's control flow, and achieve limited arbitrary code execution during the active attack session.

However, the impact is limited because the device's secure boot mechanism prevents persistent firmware modification, cryptographic keys are isolated from direct firmware access, and all changes are lost once the device reboots or physical access is removed.

Impact Analysis

If an attacker gains physical access to the SPI interface of a vulnerable Semtech LoRa LR11xxx transceiver, they can temporarily hijack the device's program control flow and execute arbitrary code during the attack session.

This could lead to unauthorized actions or disruptions while the attacker maintains physical access.

However, the vulnerability does not allow permanent firmware changes or direct access to cryptographic keys, and all modifications are lost after reboot or loss of physical access, limiting long-term impact.

Mitigation Strategies

To mitigate this vulnerability, ensure that physical access to the SPI interface of Semtech LoRa LR11xxx transceivers is strictly controlled and restricted.

Since the vulnerability requires physical access to the SPI interface to exploit the improper access control, preventing unauthorized physical access is the primary mitigation step.

Additionally, rebooting the device will clear any temporary modifications made during an active attack session, as the secure boot mechanism prevents persistent firmware modification.

Compliance Impact

This vulnerability allows an attacker with physical access to the SPI interface to achieve limited arbitrary code execution during an active attack session. However, the device's secure boot mechanism prevents persistent firmware modification, cryptographic keys are isolated from direct firmware access, and all modifications are lost upon reboot or loss of physical access.

Given these limitations, the vulnerability's impact on compliance with common standards and regulations such as GDPR or HIPAA is likely limited, as persistent compromise or extraction of sensitive cryptographic material is prevented.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14857. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart