EUVD-2025-209282

| CVE-2025-14857 MEDIUM
2026-04-07 SWI GHSA-xjjj-2993-4g39
5.4
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:X
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2025-209282
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:56 nvd
MEDIUM 5.4

Tags

RCE

Description

An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails to enforce write protection on the program call stack. An attacker with physical access to the SPI interface can overwrite stack memory to hijack program control flow and achieve limited arbitrary code execution. However, the impact is limited to the active attack session: the device's secure boot mechanism prevents persistent firmware modification, the crypto engine isolates cryptographic keys from direct firmware access, and all modifications are lost upon device reboot or loss of physical access.

Analysis

Stack memory write protection bypass in Semtech LoRa LR11xx transceiver firmware allows physical attackers with SPI interface access to overwrite the program call stack and achieve limited arbitrary code execution during an active session. The vulnerability affects LR1110, LR1120, and LR1121 devices running early firmware versions; however, impact is constrained to the current attack session because secure boot prevents persistent firmware modification, cryptographic keys remain isolated, and all changes revert upon device reboot or loss of physical access. CVSS 5.4 (moderate) reflects the physical attack requirement despite high confidentiality and integrity impact.

Technical Context

Semtech LoRa LR11xx transceivers (LR1110, LR1120, LR1121) are sub-GHz wireless transceiver chips used in IoT and LoRaWAN applications. The vulnerability resides in the firmware's memory write command handler accessible via the physical Serial Peripheral Interface (SPI) bus-the primary communication protocol between the transceiver and host microcontroller. The root cause is an improper access control flaw (CWE-123: Write-What-Where Condition) where the firmware fails to enforce write protection on the program call stack memory region. An attacker with direct physical access to the SPI interface can craft malformed memory write commands that bypass protection checks and overwrite stack data, enabling control flow hijacking. The device's secure boot mechanism and isolated cryptographic engine (referenced in the description) mitigate persistence and key extraction, limiting the attack window to the duration of physical access and the active session.

Affected Products

Semtech LoRa transceivers LR1110, LR1120, and LR1121 running early firmware versions are affected, as identified by CPE strings cpe:2.3:a:semtech:lr1110, cpe:2.3:a:semtech:lr1120, and cpe:2.3:a:semtech:lr1121. Exact firmware version ranges are not specified in the provided data. End products integrating these transceivers (LoRaWAN gateways, IoT edge devices, sensor modules) are indirectly affected. Consult Semtech security bulletin SEM-PSA-2026-001 at https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001 for specific firmware version boundaries and affected SKUs.

Remediation

Update affected Semtech LR11xx transceiver firmware to the patched version specified in Semtech security bulletin SEM-PSA-2026-001 (https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001). Exact patched firmware versions are not provided in the available data; consult the Semtech advisory for the correct target version for your device model and current firmware level. As an interim mitigation, restrict physical SPI interface access through mechanical tamper-evident enclosures, secure mounting in controlled-access facilities, or disabling SPI debug interfaces where permitted by application requirements. Monitor firmware update channels from Semtech and implement a rollout plan prioritizing devices in physically accessible or untrusted environments. Secure boot is already present and functional; verify it remains enabled in your deployment.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +27
POC: 0

Share

EUVD-2025-209282 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy