CVE-2025-59696 is a security vulnerability affecting Entrust nShield hardware security modules (HSMs), specifically the Connect XC, 5c, and HSMi models up to firmware versions 13.6.11 and 13.7. The flaw allows an attacker who is physically near the device and has low-level privileges to manipulate or erase tamper event logs by exploiting the chassis management board interface. Tamper event logs are critical for detecting unauthorized physical access or tampering attempts on HSMs, which are trusted devices used to securely generate, store, and manage cryptographic keys. By modifying or erasing these logs, an attacker can conceal evidence of physical tampering, undermining the device’s security assurances and forensic capabilities. The vulnerability does not enable direct compromise of cryptographic keys or availability of the device but impacts the integrity and reliability of tamper detection mechanisms. The CVSS 3.1 base score is 3.2, reflecting low severity due to the requirement for physical proximity and low privileges, no user interaction, and limited confidentiality and integrity impact. No public exploits or active exploitation have been reported. The weakness is categorized under CWE-1263, which relates to improper handling of tamper event data. Entrust has not yet published patches or mitigations, so organizations must rely on physical security controls and monitoring to mitigate risk.

For European organizations, especially those in finance, government, and critical infrastructure sectors that rely on Entrust nShield HSMs for key management and cryptographic operations, this vulnerability poses a risk to the integrity of tamper detection and forensic logging. An attacker with physical access could erase or alter tamper logs to hide unauthorized physical access, potentially delaying detection of security breaches or insider threats. While the vulnerability does not directly expose cryptographic keys or disrupt availability, the loss of reliable tamper evidence weakens trust in the HSM’s security posture and could facilitate more advanced attacks if combined with other vulnerabilities or insider actions. This is particularly concerning for compliance-driven environments subject to strict audit and security requirements. The limited severity and physical access requirement reduce the overall risk, but organizations with less controlled physical environments or shared facilities may be more vulnerable.

1. Enforce strict physical security controls around Entrust nShield HSM devices, including locked server rooms, surveillance, and access logging to prevent unauthorized physical proximity. 2. Implement tamper detection monitoring and alerting to quickly identify suspicious events or missing logs. 3. Regularly audit tamper event logs and correlate with physical access records to detect anomalies. 4. Coordinate with Entrust to obtain firmware updates or patches addressing this vulnerability as soon as they become available. 5. Consider deploying additional tamper-evident seals or external monitoring devices to complement the HSM’s internal tamper detection. 6. Limit administrative privileges on the chassis management board to trusted personnel only. 7. Review and update incident response plans to include scenarios involving tamper log manipulation. 8. For high-security environments, consider redundant or layered HSM deployments to reduce single points of failure.