Management Summary
The SIMCom SIM7600G modem supports an undocumented AT command, which allows local/physical attackers to execute system commands with root permissions on the modem. We are unaware of a patch which mitigates the backdoor command as the vendor did not respond to our multiple communication attempts anymore.
Vendor description
"Founded in 2002, SIMCom Wireless Solutions Limited has been committed to providing a variety of wireless modules and solutions including 5G, 4G, LPWA, LTE-A, smart module, automotive module, 3G, 2G and GNSS for 20 years. According to the latest M2M report by ABI Research Inc., a well-known U.S. market research company, SIMCom has made the largest shipments of wireless module for 4 consecutive years."
Source: https://www.simcom.com/about.html
Business recommendation
The vendor was unresponsive to multiple communication attempts during over one year of responsible disclosure after submitting our advisory to them, see the timeline below.
It is unknown to us whether a patch is available. Customers of SIMCom are urged to reach out to their contact person at SIMCom or distributors to demand a patch which removes the backdoor command.
SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues and verify the removal of the backdoor command.
Vulnerability overview/description
1) Undocumented Root Shell Access (CVE-2025-26412)
The SIMCom SIM7600G modem supports an undocumented AT command, which allows an attacker to execute system commands with root permission on the modem. An attacker needs either physical access or remote shell access to a device that interacts directly with the modem via AT commands.
Proof of concept
1) Undocumented Root Shell Access (CVE-2025-26412)
The SIMCom SIM7600G modem supports an undocumented AT command, which allows an attacker to execute commands with root permissions on the modem. For this example the tool mmcli is used to communicate with the modem. The following example shows how the AT command "AT+CSHELL" can be used to execute system commands on the SIM7600G modem by a physically connected attacker:
# mmcli --modem=1 --command='AT+CSHELL="id"'
response: '+CSHELL: uid=0(root) gid=0(root)'
Vulnerable / tested versions
The following firmware version has been tested on a SIMCom modem, that was integrated in a 3rd-party device:
- Firmware Revision: LE20B03SIM7600M21-A
The vendor did not respond to our questions, which firmware revisions or other products are affected. It is assumed that more firmware revisions are affected.