CVE-2022-30330

low-risk
Published 2022-05-07

In the KeepKey firmware before 7.3.2,Flaws in the supervisor interface can be exploited to bypass important security restrictions on firmware operations. Using these flaws, malicious firmware code can elevate privileges, permanently make the device inoperable or overwrite the trusted bootloader code to compromise the hardware wallet across reboots or storage wipes.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.6/10 Medium
PHYSICAL / LOW complexity

Affected Products (1)

Keepkey Firmware

Affected Vendors

Keepkey

References (6)

Exploit https://blog.inhq.net/posts/keepkey-CVE-2022-30330/
Patch https://github.com/keepkey/keepkey-firmware/commit/447c1f038a31378ab9589965c0984...
Release Notes https://github.com/keepkey/keepkey-firmware/releases/tag/v7.3.2
Exploit https://blog.inhq.net/posts/keepkey-CVE-2022-30330/
Patch https://github.com/keepkey/keepkey-firmware/commit/447c1f038a31378ab9589965c0984...
Release Notes https://github.com/keepkey/keepkey-firmware/releases/tag/v7.3.2
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal