CVE-2025-14857: CWE-123 Write-what-where Condition in Semtech LR1110
An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails to enforce write protection on the program call stack. An attacker with physical access to the SPI interface can overwrite stack memory to hijack program control flow and achieve limited arbitrary code execution. However, the impact is limited to the active attack session: the device's secure boot mechanism prevents persistent firmware modification, the crypto engine isolates cryptographic keys from direct firmware access, and all modifications are lost upon device reboot or loss of physical access.
AI Analysis
Technical Summary
This vulnerability (CVE-2025-14857) in Semtech LR1110 transceivers arises from a write-what-where condition (CWE-123) due to improper access control on the SPI interface's memory write command. Early firmware versions fail to protect the program call stack from being overwritten, allowing an attacker with physical SPI access to hijack program control flow and execute arbitrary code temporarily. The impact is limited by secure boot mechanisms that prevent persistent firmware changes and cryptographic key isolation that protects sensitive data. All modifications are volatile and lost on device reboot or removal of physical access.
Potential Impact
The vulnerability allows an attacker with physical access to the SPI interface to perform limited arbitrary code execution during the active session. Persistent compromise is prevented by secure boot, and cryptographic keys remain protected. No persistent firmware modification or long-term compromise is possible. There are no known exploits in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict physical access to the SPI interface to prevent exploitation. The device's secure boot and cryptographic protections limit the impact of this vulnerability.
CVE-2025-14857: CWE-123 Write-what-where Condition in Semtech LR1110
Description
An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails to enforce write protection on the program call stack. An attacker with physical access to the SPI interface can overwrite stack memory to hijack program control flow and achieve limited arbitrary code execution. However, the impact is limited to the active attack session: the device's secure boot mechanism prevents persistent firmware modification, the crypto engine isolates cryptographic keys from direct firmware access, and all modifications are lost upon device reboot or loss of physical access.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2025-14857) in Semtech LR1110 transceivers arises from a write-what-where condition (CWE-123) due to improper access control on the SPI interface's memory write command. Early firmware versions fail to protect the program call stack from being overwritten, allowing an attacker with physical SPI access to hijack program control flow and execute arbitrary code temporarily. The impact is limited by secure boot mechanisms that prevent persistent firmware changes and cryptographic key isolation that protects sensitive data. All modifications are volatile and lost on device reboot or removal of physical access.
Potential Impact
The vulnerability allows an attacker with physical access to the SPI interface to perform limited arbitrary code execution during the active session. Persistent compromise is prevented by secure boot, and cryptographic keys remain protected. No persistent firmware modification or long-term compromise is possible. There are no known exploits in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict physical access to the SPI interface to prevent exploitation. The device's secure boot and cryptographic protections limit the impact of this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- SWI
- Date Reserved
- 2025-12-18T00:09:25.318Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d5660baaed68159a5b4066
Added to database: 4/7/2026, 8:16:11 PM
Last enriched: 4/7/2026, 8:32:10 PM
Last updated: 4/8/2026, 2:07:14 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.