Skip to main content

Lr1120

3 CVEs product

Monthly

CVE-2025-14859 HIGH This Week

Cryptographic bypass in Semtech LR11xx LoRa transceiver secure boot allows physically proximate attackers to install arbitrary firmware via hash collision. The implementation uses a non-standard, collision-vulnerable hashing algorithm (CWE-327), enabling second preimage attacks that forge signed firmware images. Affects LR1110, LR1120, and LR1121 transceivers widely deployed in IoT/LoRaWAN devices. CVSS 7.0 requires physical access (AV:P), low complexity, no privileges. No public exploit identified at time of analysis; EPSS data unavailable for this recent CVE.

Authentication Bypass Lr1110 Lr1120 Lr1121
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2025-14858 MEDIUM This Month

Information disclosure vulnerability in Semtech LR11xx LoRa transceivers (LR1110, LR1120, LR1121) allows attackers with physical SPI interface access to retrieve decrypted firmware contents by exploiting improper memory cleanup after firmware validation. The device fails to clear the last decrypted firmware block from memory after integrity checks complete, enabling an attacker to bypass firmware encryption protection via subsequent SPI memory read commands. This affects early firmware versions and requires direct physical access to the SPI interface.

Information Disclosure Lr1110 Lr1120 Lr1121
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-14857 MEDIUM This Month

Stack memory write protection bypass in Semtech LoRa LR11xx transceiver firmware allows physical attackers with SPI interface access to overwrite the program call stack and achieve limited arbitrary code execution during an active session. The vulnerability affects LR1110, LR1120, and LR1121 devices running early firmware versions; however, impact is constrained to the current attack session because secure boot prevents persistent firmware modification, cryptographic keys remain isolated, and all changes revert upon device reboot or loss of physical access. CVSS 5.4 (moderate) reflects the physical attack requirement despite high confidentiality and integrity impact.

RCE Lr1110 Lr1120 Lr1121
NVD
CVSS 4.0
5.4
EPSS
0.0%
EPSS 0% CVSS 7.0
HIGH This Week

Cryptographic bypass in Semtech LR11xx LoRa transceiver secure boot allows physically proximate attackers to install arbitrary firmware via hash collision. The implementation uses a non-standard, collision-vulnerable hashing algorithm (CWE-327), enabling second preimage attacks that forge signed firmware images. Affects LR1110, LR1120, and LR1121 transceivers widely deployed in IoT/LoRaWAN devices. CVSS 7.0 requires physical access (AV:P), low complexity, no privileges. No public exploit identified at time of analysis; EPSS data unavailable for this recent CVE.

Authentication Bypass Lr1110 Lr1120 +1
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Information disclosure vulnerability in Semtech LR11xx LoRa transceivers (LR1110, LR1120, LR1121) allows attackers with physical SPI interface access to retrieve decrypted firmware contents by exploiting improper memory cleanup after firmware validation. The device fails to clear the last decrypted firmware block from memory after integrity checks complete, enabling an attacker to bypass firmware encryption protection via subsequent SPI memory read commands. This affects early firmware versions and requires direct physical access to the SPI interface.

Information Disclosure Lr1110 Lr1120 +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stack memory write protection bypass in Semtech LoRa LR11xx transceiver firmware allows physical attackers with SPI interface access to overwrite the program call stack and achieve limited arbitrary code execution during an active session. The vulnerability affects LR1110, LR1120, and LR1121 devices running early firmware versions; however, impact is constrained to the current attack session because secure boot prevents persistent firmware modification, cryptographic keys remain isolated, and all changes revert upon device reboot or loss of physical access. CVSS 5.4 (moderate) reflects the physical attack requirement despite high confidentiality and integrity impact.

RCE Lr1110 Lr1120 +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy