CVE-2023-25758
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
14/02/2023
Last modified:
20/03/2025
Description
Onekey Touch devices through 4.0.0 and Onekey Mini devices through 2.10.0 allow man-in-the-middle attackers to obtain the seed phase. The man-in-the-middle access can only be obtained after disassembling a device (i.e., here, "man-in-the-middle" does not refer to the attacker's position on an IP network). NOTE: the vendor states that "our hardware team has updated the security patch without anyone being affected."
Impact
Base Score 3.x
4.20
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:onekey:onekey_touch_firmware:*:*:*:*:*:*:*:* | 4.0.0 (including) | |
| cpe:2.3:h:onekey:onekey_touch:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:onekey:onekey_mini_firmware:*:*:*:*:*:*:*:* | 2.10.0 (including) | |
| cpe:2.3:h:onekey:onekey_mini:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://blog.onekey.so/our-response-to-recent-security-fix-reports-13914fea8afd
- https://fortune.com/crypto/2023/02/09/cyber-firm-cracks-onekey-crypto-wallets-in-video-raises-questions-hardware-security/amp/
- https://github.com/OneKeyHQ/firmware
- https://blog.onekey.so/our-response-to-recent-security-fix-reports-13914fea8afd
- https://fortune.com/crypto/2023/02/09/cyber-firm-cracks-onekey-crypto-wallets-in-video-raises-questions-hardware-security/amp/
- https://github.com/OneKeyHQ/firmware