Description
An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails to enforce write protection on the program call stack. An attacker with physical access to the SPI interface can overwrite stack memory to hijack program control flow and achieve limited arbitrary code execution. However, the impact is limited to the active attack session: the device's secure boot mechanism prevents persistent firmware modification, the crypto engine isolates cryptographic keys from direct firmware access, and all modifications are lost upon device reboot or loss of physical access.
Published: 2026-04-07
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Physical Access Arbitrary Code Execution
Action: Update Firmware
AI Analysis

Impact

An improper access control flaw in Semtech LoRa transceivers allows anyone with physical access to the SPI interface to issue memory write commands that bypass write protection on the program call stack. This vulnerability can be exploited to overwrite stack memory, redirect program flow, and execute limited arbitrary code during the active session. However, the device's secure boot and crypto engine prevent persistent firmware changes, and any modifications are lost when the device reboots or physical access is removed.

Affected Systems

The flaw affects Semtech LR1110, LR1120, and LR1121 transceivers running early firmware releases that do not enforce stack write protection. The exact firmware versions are not listed, but the issue applies to the initial firmware versions before the fix was implemented.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity. No EPSS score is available, and the vulnerability is not catalogued in CISA's KEV list. Exploitation requires direct physical access to the SPI bus, limiting the attack scope. Once exploited, the attacker can hijack program control flow but cannot make persistent changes due to secure boot enforcement and cryptographic key isolation.

Generated by OpenCVE AI on April 7, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Semtech firmware update
  • Restrict or disable physical SPI access when possible
  • Monitor device for abnormal activity and enforce secure boot

Generated by OpenCVE AI on April 7, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails to enforce write protection on the program call stack. An attacker with physical access to the SPI interface can overwrite stack memory to hijack program control flow and achieve limited arbitrary code execution. However, the impact is limited to the active attack session: the device's secure boot mechanism prevents persistent firmware modification, the crypto engine isolates cryptographic keys from direct firmware access, and all modifications are lost upon device reboot or loss of physical access.
Title Semtech LR11xx Memory Write Access Control Bypass
First Time appeared Semtech
Semtech lr1110
Semtech lr1120
Semtech lr1121
Weaknesses CWE-123
CPEs cpe:2.3:a:semtech:lr1110:*:*:*:*:*:*:*:*
cpe:2.3:a:semtech:lr1120:*:*:*:*:*:*:*:*
cpe:2.3:a:semtech:lr1121:*:*:*:*:*:*:*:*
Vendors & Products Semtech
Semtech lr1110
Semtech lr1120
Semtech lr1121
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/AU:N/R:A/V:D/RE:M'}

Subscriptions

Semtech Lr1110 Lr1120 Lr1121
cve-icon MITRE

Status: PUBLISHED

Assigner: SWI

Published:

Updated: 2026-04-07T20:42:41.466Z

Reserved: 2025-12-18T00:09:25.318Z

Link: CVE-2025-14857

cve-icon Vulnrichment

Updated: 2026-04-07T20:38:09.550Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T20:16:21.253

Modified: 2026-04-08T21:27:00.663

Link: CVE-2025-14857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:45:57Z

Weaknesses