CVE-2025-69893
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk15th percentile - higher than 15% of all known CVEs
Summary
A side-channel vulnerability in BIP-39 mnemonic processing implementation in Trezor hardware wallets (versions 1.13.0-1.14.0) allows an attacker with physical access during setup to recover the mnemonic code using deep learning-based side-channel analysis. The issue has been patched.
Risk Assessment
An attacker with physical access to the device during initialization can capture the mnemonic code and steal stored cryptocurrency assets, posing a direct threat to user funds.
Recommendation
Immediately update Trezor wallet firmware to a version later than 1.14.0 and avoid configuring devices in environments where physical access may be compromised.
Original NVD description (English source)
A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant time execution and specific branch patterns for word searching. An attacker with physical access during the initial setup phase can collect a single side-channel trace. By utilizing profiling-based Deep Learning Side-Channel Analysis (DL-SCA), the attacker can recover the mnemonic code and subsequently steal the assets. The issue was patched.

