Overview
.jpg)
After previously identifying several severe vulnerabilities in Motorola TETRA radios as part of our TETRA:BURST research, we were asked to scrutinize the Sepura SC20 series of mobile TETRA radios.
Several issues were encountered, two of which are deemed critical. All attacks require physical access to the device. Now, over two years later, we publish (in limited detail) what we found, in order to inform all asset owners and stakeholders.
Insufficient key entropy for SD card encryption
Critical
Unauthorized code execution
Physical
MBPH-2025-003
Key exfiltration vulnerablity
Medium
Loss of confidentiality/integrity of TETRA traffic
Code execution
CVEs are available for the first two issues while the third one is still pending. In order to facilitate unambiguous reference to the issue we have assigned a MBPH (Midnight Blue Placeholder) vulnerability identifier. When a CVE number is assigned, this page will be updated.
In this video, we demonstrate code execution on a Sepura SC20
(Gen 3) radio using CVE-2025-52945. The actual attack only takes a second, after which the device reboots and executes our code.
The vulnerabilities enable an attacker to gain code execution on a Sepura Gen 3 device. Attack scenarios featuring CVE-2025-8458 involve persistent code execution through access to a device's SD card. Abuse of CVE-2025-52945 is even more straightforward as it requires only brief access to the device's PEI connector.
From the premise of code execution, multiple attack scenarios are viable, such as exfiltration of TETRA key materials (MBPH-2025-003) or the implantation of a persistent backdoor into the radio firmware. This leads to the loss of confidentiality and integrity of TETRA communications. Note that MBPH-2025-003 allows for the exfiltration of all TETRA and TETRA E2EE key materials with the exception of the device-specific key K.
Remediating patches for CVE-2025-52945 and CVE-2025-8458 will be made available by Sepura and are expected in Q3 2025. We have been informed that SC6.0, SC5.3 and SC4.3 are to receive the update. A detailed advisory has been distributed to relevant stakeholders through the Dutch National Cyber-Security Centre (NCSC).
Until patches are available and can be rolled out, enhanced TETRA key management (key rotation policies, procedures surrounding lost devices) policies are recommended.
The MBPH-2025-003 key exfiltration vulnerability cannot be patched due to arcitectural limitations. It is important to note, however, that a code execution vulnerability is required before any keys can be recovered and exfiltrated by an attacker.
Midnight Blue adheres to the Dutch NCSC’s CVD guidelines, which stipulate a 6-month embargo period for hardware and embedded systems vulnerabilities. At the time of reporting, an advisory has been provided to the NCSC, which was subsequently further distributed. In order to protect asset owners and stakeholders against unnecessary exposure to risk, deep technical details are withheld at the initial publication date.
Jun 2023
Vulnerabilities originally identified and reported to client
Feb 2025
Vulnerabilities reported to NCSC-NL, responsible for informing vendor
Jun 2025
Vendor response outlining remediation timeline
Jul 2025
Call with Sepura discussing the device vulnerabilities
Aug 2025
Midnight Blue publishes high-level vulnerability descriptions
Q3 2025
Scheduled release of patch
If you are operating Sepura Gen 3 (e.g. SC20 series) devices, you are most likely affected.
No, an attacker requires brief physical access through the PEI (bottom accessory) connector is required.
CVE-2025-52945 and CVE-2025-8458 are scheduled to be patched by Sepura. MB-2025-003 is deemed by Sepura to be a design decision and as such, shall not be fixed. Given the hardware capabilities, we agree that mitigating the key exfiltration opportunity for an adversary with code execution is not possible under the current architecture.
As company policy, we believe it to be essential that identified vulnerabilities are 1) fixed by the vendor in a timely manner and, 2) existence and impact of the vulnerability be made public. This ensures asset owners are informed of the existence of vulnerabilities and allows them to act accordingly, improving the security posture of all.
At this point in time, no further technical details on these vulnerabilities are disclosed.
Proof-of-concept attack code will not be released due to the potential for abuse.
All items
