Description
* Countermeasures for DPA within SYMCRYPTO
engine on SixG301xxx devices are not sufficiently random and will
eventually repeat.
* KSU keys using SYMCRYPTO will be
impacted by this vulnerability.
Published: 2026-05-15
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the DPA countermeasure within the SYMCRYPTO engine on SixG301xxx devices, where the randomization is insufficient and will eventually repeat. This flaw reduces the effectiveness of the countermeasure and can enable attackers to use Differential Power Analysis to recover secret keys, notably KSU keys that rely on SYMCRYPTO. The weakness corresponds to CWE‑331, representing insufficient entropy or randomness in cryptographic operations.

Affected Systems

The affected assets are Silabs Simplicity SDK components running on SixG301xxx family devices. The flaw specifically impacts firmware that employs the SYMCRYPTO module for generating or protecting KSU keys. Version information was not disclosed in the advisory, so all current releases of the SDK that use SYMCRYPTO are potentially compromised.

Risk and Exploitability

The CVSS score of 4.1 indicates a low threat level, and there is no EPSS score available. The vulnerability is not listed in CISA KEV. The likely attack vector is offline, requiring an attacker to physically monitor power traces of the device over time to reconstruct the secret key. While the attack demands specialized equipment and time, the repeatable nature of the countermeasure weakness makes it feasible. No publicly disclosed exploits are currently known. Overall, the risk is moderate but tangible for environments where the device functionality is essential and key protection is paramount.

Generated by OpenCVE AI on May 15, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check silabs.com for any firmware or patch updates that address the DPA countermeasure reseeding issue and apply them immediately.
  • After updating, rekey or rotate KSU keys to eliminate any keys that may have been exposed by the weak countermeasure.
  • Limit physical access to the devices and, if possible, deploy hardware masking or noise generation to obfuscate power consumption during critical operations.

Generated by OpenCVE AI on May 15, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description * Countermeasures for DPA within SYMCRYPTO engine on SixG301xxx devices are not sufficiently random and will eventually repeat. * KSU keys using SYMCRYPTO will be impacted by this vulnerability.
Title Insufficient DPA countermeasure reseeding
Weaknesses CWE-331
References
Metrics cvssV4_0

{'score': 4.1, 'vector': 'CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Silabs

Published:

Updated: 2026-05-15T15:40:29.635Z

Reserved: 2025-12-19T14:02:56.291Z

Link: CVE-2025-14972

cve-icon Vulnrichment

Updated: 2026-05-15T15:40:26.072Z

cve-icon NVD

Status : Received

Published: 2026-05-15T15:16:49.193

Modified: 2026-05-15T15:16:49.193

Link: CVE-2025-14972

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T16:30:03Z

Weaknesses