CVE-2023-25758
CVE-2023-25758 is a medium-severity vulnerability in Onekey Onekey Touch Firmware with a CVSS 3.x base score of 4.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Medium (CVSS 3.x base score 4.2)
- EPSS exploit prediction: 0% (18th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Onekey Onekey Touch Firmware
- Published:
- Last modified:
Description
Onekey Touch devices through 4.0.0 and Onekey Mini devices through 2.10.0 allow man-in-the-middle attackers to obtain the seed phase. The man-in-the-middle access can only be obtained after disassembling a device (i.e., here, "man-in-the-middle" does not refer to the attacker's position on an IP network). NOTE: the vendor states that "our hardware team has updated the security patch without anyone being affected."
Frequently asked questions
- What is CVE-2023-25758?
- Onekey Touch devices through 4.0.0 and Onekey Mini devices through 2.10.0 allow man-in-the-middle attackers to obtain the seed phase. The man-in-the-middle access can only be obtained after disassembling a device (i.e., here, "man-in-the-middle" does not refer to the attacker's position on an IP network). NOTE: the vendor states that "our hardware team has updated the security patch without anyone being affected."
- How severe is CVE-2023-25758?
- CVE-2023-25758 has a CVSS 3.x base score of 4.2, rated medium severity. It is exploitable over physical access with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2023-25758 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (18th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-25758?
- CVE-2023-25758 primarily affects Onekey Onekey Touch Firmware. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-25758?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-25758 published?
- CVE-2023-25758 was published on 2023-02-14 and last updated on 2026-06-17.
References
- https://blog.onekey.so/our-response-to-recent-security-fix-reports-13914fea8afd
- https://fortune.com/crypto/2023/02/09/cyber-firm-cracks-onekey-crypto-wallets-in-video-raises-questions-hardware-security/amp/
- https://github.com/OneKeyHQ/firmware
Affected products (2)
- cpe:2.3:o:onekey:onekey_touch_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:onekey:onekey_mini_firmware:*:*:*:*:*:*:*:*