Description
The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device.
Published: 2026-04-07
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Firmware
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in a non‑standard hash function used for secure boot, which is susceptible to second‑preimage attacks. An attacker can create malicious firmware that shares the same hash as a legitimate image, causing the device to accept and run it. This enables the deployment of arbitrary, unauthorized code on the hardware, compromising both the integrity of the system and any data it processes.

Affected Systems

Semtech LR1110, LR1120, and LR1121 LoRa transceivers are affected. Firmware versions prior to the latest patch, as identified in the Semtech security bulletin, are vulnerable. No specific release numbers are listed, so all versions should be treated as at risk until a patched firmware is installed.

Risk and Exploitability

The CVSS score of 7 indicates a high severity risk, though exploitation requires physical access to the device, limiting the attack surface. The lack of an EPSS score and absence from the KEV catalog mean that known public exploits are not yet documented, but the logical pathway exists for an attacker who can physically interact with the transceiver, making preventive measures essential.

Generated by OpenCVE AI on April 7, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest firmware release from Semtech that corrects the hashing implementation, as referenced in the Semtech security bulletin.
  • Verify the integrity of the installed firmware using the vendor’s verification tools to ensure the new image is authentic and untampered.
  • Enforce strict physical security controls on the transceiver devices to prevent unauthorized access and manipulation of firmware.

Generated by OpenCVE AI on April 7, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device.
Title Semtech LR11xx Secure Boot Bypass
First Time appeared Semtech
Semtech lr1110
Semtech lr1120
Semtech lr1121
Weaknesses CWE-327
CPEs cpe:2.3:a:semtech:lr1110:*:*:*:*:*:*:*:*
cpe:2.3:a:semtech:lr1120:*:*:*:*:*:*:*:*
cpe:2.3:a:semtech:lr1121:*:*:*:*:*:*:*:*
Vendors & Products Semtech
Semtech lr1110
Semtech lr1120
Semtech lr1121
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/AU:N/R:I/V:C/RE:M'}

Subscriptions

Semtech Lr1110 Lr1120 Lr1121
cve-icon MITRE

Status: PUBLISHED

Assigner: SWI

Published:

Updated: 2026-04-07T20:42:41.142Z

Reserved: 2025-12-18T00:09:40.606Z

Link: CVE-2025-14859

cve-icon Vulnrichment

Updated: 2026-04-07T20:37:44.923Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T20:16:22.590

Modified: 2026-04-08T21:27:00.663

Link: CVE-2025-14859

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:45:55Z

Weaknesses