Skip to main content

As part of Thales commitment to product security, Thales Digital Identity and Security(DIS), Analytics and IoT Solutions (AIS) lists known security updates on this page.


19 August 2020

Vulnerabilities on Java module family (CVE-2020-15858)

Thales has become aware of a security vulnerability in the Java embedded platform integrated into the Cinterion® modules.

This security vulnerability could potentially allow attackers with physical access to the device to compromise certain assets stored in the Cinterion® modules’ flash file system such as:

  • Customer Java MIDlet byte code
  • TLS credentials or
  • OTAP configuration data

The CVSS base score of this vulnerability is 6.2, as jointly computed by Thales and the security researchers.

Thales has mitigated this issue through a minor modification of the Java embedded platform, which fixes the directory path access check of the internal flash file system. 

The following products and releases were vulnerable:

  • BGS5 up to and including SW RN 02.000 / ARN 01.001.06
  • EHSx and PDSx up to and including SW RN 04.003 / ARN 01.000.04
  • ELS61 up to and including SW RN 02.002 / ARN 01.000.04
  • ELS81 up to and including SW RN 05.002 / ARN 01.000.04
  • PLS62 up to and including SW RN 02.000 / ARN 01.000.04

All affected customers have been informed starting Q1 2020.

Thales wishes to thank Grzegorz Wypych and Adam Laurie from X-Force Red for highlighting this issue.

Get in touch with us

For more information regarding our services and solutions contact one of our sales representatives. We have agents worldwide that are available to help with your digital security needs. Fill out our contact form and one of our representatives will be in touch to discuss how we can assist you.

Please note we do not sell any products nor offer support directly to end users. If you have questions regarding one of our products provided by e.g. your bank or government, then please contact them for advice first.