CVE-2025-14859
Received Received - Intake
Second Preimage Attack on Semtech LR11xx Secure Boot Enables Firmware Tampering

Publication date: 2026-04-07

Last updated on: 2026-04-07

Assigner: Sierra Wireless Inc.

Description
The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14859
EUVD
EUVD-2025-209287
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
semtech lr11xx *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Semtech LR11xx LoRa transceivers use secure boot functionality that relies on digital signatures to authenticate firmware. However, the cryptographic hashing algorithm used in this process is non-standard and vulnerable to second preimage attacks. This means an attacker with physical access to the device can create a malicious firmware image that produces the same hash as a legitimate one, bypassing the secure boot verification and allowing unauthorized firmware to be installed.

Impact Analysis

This vulnerability allows an attacker with physical access to the affected Semtech LoRa transceivers to bypass secure boot protections and install arbitrary, unauthorized firmware on the device. This could lead to compromised device integrity, unauthorized control, and potential disruption or manipulation of device functions.

Detection Guidance

This vulnerability requires physical access to the affected Semtech LR11xx LoRa transceivers to exploit the weakness in the secure boot implementation. There is no indication that it can be detected remotely on a network or system.

No specific detection commands or network-based detection methods are provided in the available information.

Mitigation Strategies

Since the vulnerability requires physical access to the device, immediate mitigation steps include restricting physical access to the affected devices to trusted personnel only.

Additionally, monitoring and controlling device firmware updates to ensure only authenticated and verified firmware is installed can help mitigate the risk.

Refer to Semtech's security bulletin SEM-PSA-2026-001 for any available patches or updated firmware addressing this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14859. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart