Undocumented Root Shell Access on SIMCom Modem

Title

Undocumented Root Shell Access on SIMCom Modem

Product

SIMCom - SIM7600G Modem

Vulnerable Version

Firmware Revision: LE20B03SIM7600M21-A

Fixed Version

-

CVE Number

CVE-2025-26412

Impact

medium

Homepage

https://www.simcom.com

Found

20.11.2023

By

Constantin Schieber-Knöbl (Office Vienna), Stefan Schweighofer (Office Vienna), Steffen Robertz | SEC Consult Vulnerability Lab

Management Summary

The SIMCom SIM7600G modem supports an undocumented AT command, which allows local/physical attackers to execute system commands with root permissions on the modem. We are unaware of a patch which mitigates the backdoor command as the vendor did not respond to our multiple communication attempts anymore.

Vendor description

"Founded in 2002, SIMCom Wireless Solutions Limited has been committed to providing a variety of wireless modules and solutions including 5G, 4G, LPWA, LTE-A, smart module, automotive module, 3G, 2G and GNSS for 20 years. According to the latest M2M report by ABI Research Inc., a well-known U.S. market research company, SIMCom has made the largest shipments of wireless module for 4 consecutive years."

Source: https://www.simcom.com/about.html

Business recommendation

The vendor was unresponsive to multiple communication attempts during over one year of responsible disclosure after submitting our advisory to them, see the timeline below.

It is unknown to us whether a patch is available. Customers of SIMCom are urged to reach out to their contact person at SIMCom or distributors to demand a patch which removes the backdoor command.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues and verify the removal of the backdoor command.

Vulnerability overview/description

1) Undocumented Root Shell Access (CVE-2025-26412)

The SIMCom SIM7600G modem supports an undocumented AT command, which allows an attacker to execute system commands with root permission on the modem. An attacker needs either physical access or remote shell access to a device that interacts directly with the modem via AT commands.

Proof of concept

1) Undocumented Root Shell Access (CVE-2025-26412)

The SIMCom SIM7600G modem supports an undocumented AT command, which allows an attacker to execute commands with root permissions on the modem. For this example the tool mmcli is used to communicate with the modem. The following example shows how the AT command "AT+CSHELL" can be used to execute system commands on the SIM7600G modem by a physically connected attacker:

# mmcli --modem=1 --command='AT+CSHELL="id"'

response: '+CSHELL: uid=0(root) gid=0(root)'

 

Vulnerable / tested versions

The following firmware version has been tested on a SIMCom modem, that was integrated in a 3rd-party device:

  • Firmware Revision: LE20B03SIM7600M21-A

The vendor did not respond to our questions, which firmware revisions or other products are affected. It is assumed that more firmware revisions are affected.

Vendor contact timeline

2024-05-28 Contacting vendor through support@simcom.com; no response.
2024-10-22 Contacting vendor again, vendor asks about where our company is located and where we purchased the modules. Explaining that we are a security consulting company and that we analyzed a product using the SIMCom modem.
2024-10-23 Vendor responds that they can't support us directly and the vendor of the 3rd-party product needs to contact their supplier/ distributor. Answering them, that we found a security issue in their product and that our request was not for support nor help and the security issue affects all of SIMCom's customers. Asking for a security contact again. No response.
2024-11-13 Contacting vendor again if they received our previous email. Communicating advisory release after deadline on 11th December.
2024-11-18 SIMCom EU sales director contacts us, asking for details and that "their cellular modules work in 100% controlled environments and conform to all standards, if there are any security issues those will be related to the SIM or network provider." Sending technical advisory draft to SIMCom. No further response from vendor.
2024-12-10 Asking for a status update. No response.
2025-02-04 Asking for a status update again, scheduling advisory release. No response (except out of office until 6th February)
2025-02-11 Asking for status update again, reserving CVE-2025-26412, again out of office response until 19th February. No response. Attempting contact via different channels to our contact persons (via LinkedIn - profile was viewed, but other than that, no response)
2025-02-28 Last attempt, final communication of advisory release for next week. Providing recommendations to the vendor regarding the mandatory requirements of the Cyber Resilience Act in the future for security researcher communication. Receiving out of office reply (for 26th return).
2025-02-28 Vendor responds that they are aware of our request, but fail to understand where this request has been originated and are unable to determine the urgency and importance. SIMCom is aware of the CRA.
2025-03-02 Explaining everything again (CVD process, contact attempts in May/October 2024 through support, etc.). Receiving out of office reply again until 17th March 2025.
2025-03-03 SIMCom answers that our request could "not be associated with any customer or tangible market activity" and resources won't get assigned. Suggests conversation with third-party, where we identified the issue.
2025-03-03 Contacting third-party, informing them about the SIMCom status and asking them how they want to proceed.
2025-03-06 Third-party informs us that a test firmware is available where a password can be set for the shell.
2025-03-07 Following up with the 3rd party about "hard-coded passwords", aligning next steps
2025-03-07 Contacting SIMCom again and detailing the whole CVD process again and future alignment, asking for the firmware version of the fix and providing recommendations regarding the hard-coded password fix: Inform all customers about the new solution and provide updated firmware, make the password changeable for integrators etc, properly document the behavior and provide best practices, e.g. strong random unique passwords for each device instead of hard-coded "backdoor". No response from the vendor again (only received out of office reply).
2025-03-24 Following up again, if our email was received and asking for the fixed FW version; Vendor responds that they are currently investigating, the AT-CSHELL command is not properly documented and the idea is to remove the function.
2025-05-22 Asking for a status update. No response.
2025-06-06 Informing vendor about public release next week. Received automated out of office reply again. No response.
2025-06-11 Release of security advisory.

Solution

The vendor was unresponsive to multiple communication attempts during over one year of responsible disclosure after submitting our advisory to them, see the timeline above.

It is unknown to us whether a patch is available. Customers of SIMCom are urged to reach out to their contact person at SIMCom or distributors to demand a patch which removes the backdoor command.

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF C. Schieber-Knöbl, S. Schweighofer, S. Robertz, J. Greil / @2025

 

Interested to work with the experts of SEC Consult? Send us your application.
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back