CVE-2025-69893

Published: Apr 14, 2026 Last Modified: Apr 16, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 4,6
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Attack Vector: physical
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: none
Availability: none

Description

AI Translation Available

A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant time execution and specific branch patterns for word searching. An attacker with physical access during the initial setup phase can collect a single side-channel trace. By utilizing profiling-based Deep Learning Side-Channel Analysis (DL-SCA), the attacker can recover the mnemonic code and subsequently steal the assets. The issue was patched.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0002
Percentile
0,1th
Updated

EPSS Score Trend (Last 2 Days)

385

Covert Timing Channel

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Other
Potential Impacts:
Read Application Data Other
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: Medium
View CWE Details
https://trezor.io/vulnerability/fix-side-channel-in-bip-39-…
https://trezor.io/vulnerability/fix-side-channel-in-bip-39-mnemonic-processing-…
http://trezor.com
http://trezor.com