CVE-2025-14859 PUBLISHED

Semtech LR11xx Secure Boot Bypass

Assigner: SWI
Reserved: 18.12.2025 Published: 07.04.2026 Updated: 07.04.2026

The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/AU:N/R:I/V:C/RE:M
CVSS Score: 7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Physical	Confidentiality	High	Confidentiality	Low
Attack Complexity	Low	Integrity	High	Integrity	Low
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Semtech
Product	LR1110
Versions	Default: unaffected affected from 0 to BL2 FW 0x1001 (excl.)

Vendor	Semtech
Product	LR1120
Versions	Default: unaffected affected from 0 to BL2 FW 0x2001 (excl.)

Vendor	Semtech
Product	LR1121
Versions	Default: unaffected affected from 0 to BL2 FW 0x2101 (excl.)

References

https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001

Problem Types

CWE-327 Use of a Broken or Risky Cryptographic Algorithm CWE

Impacts

CAPEC-68 Subvert Code-signing