A essential vulnerability has been recognized within the GSMA TS.48 Generic Take a look at Profile variations 6.0 and earlier, that are broadly used throughout the eSIM {industry} for radio compliance testing.
This flaw permits attackers with bodily entry to an embedded Common Built-in Circuit Card (eUICC) to take advantage of publicly recognized keys, facilitating the set up of non-verified and doubtlessly malicious JavaCard applets.
In essence, this might enable unauthorized entities to load rogue functions onto the eSIM, compromising its safety and doubtlessly enabling eSIM profile cloning or different types of information manipulation.
Vulnerability Exposes eSIMs
The exploit requires a particular sequence: bodily entry to the system, activation of the take a look at profile, and utilization of those uncovered keys to bypass commonplace verification processes.
Whereas the TS.48 profile is meant solely for managed testing environments and never for manufacturing use, its presence in field-deployed gadgets has raised alarms about real-world dangers.
Profitable exploitation may result in extreme penalties, akin to unauthorized entry to mobile community credentials, interception of communications, and even full eSIM takeover, mimicking the cloning of bodily SIM playing cards however with far larger stealth as a result of embedded nature of eSIMs.
Technical evaluation reveals that the vulnerability stems from the profile’s inclusion of Distant Applet Administration (RAM) keys, which, when not randomized, change into predictable and exploitable.
Attackers may leverage this to inject bytecode-unverified applets, circumventing the JavaCard runtime setting’s safety mechanisms.
That is notably regarding in eventualities the place eUICCs are built-in into client gadgets like smartphones, wearables, or IoT modules, the place bodily tampering would possibly happen in provide chain assaults or focused espionage.
The problem impacts all eSIM merchandise adhering to pre-v7.0 GSMA specs, although not all eUICCs are equally weak many can’t be compelled into take a look at mode or lack these uncovered keys.
Nonetheless, the potential for misuse has prompted an industry-wide alert, emphasizing the necessity for hardened safety postures in eSIM deployments.
Broader Business Safeguards
Based on the Report, Kigen, a number one eSIM options supplier, has swiftly launched an working system (OS) safety patch that stops unauthorized distant applet loading, even when the weak TS.48 profile is energetic on area gadgets.
This patch incorporates further JavaCard runtime hardening measures, guaranteeing that applet installations are blocked in take a look at profiles as a result of absence of dependable bytecode verification strategies.
Distributed through standardized Over-the-Air (OTA) Distant File Administration to all clients, the replace types a part of a two-layer mitigation technique.
Complementing this, Kigen has launched safer take a look at profiles that exclude RAM keys by default, solely incorporating randomized keys upon specific request.
These enhancements not solely tackle the rapid vulnerability but in addition reinforce the foundational safety mannequin of eSIMs, stopping rogue app loading at each profile and OS ranges.
Kigen’s contributions lengthen to the GSMA’s up to date TS.48 v7.0 specification, which now restricts take a look at profile utilization to safer variants with out distant loading capabilities or these with confidential, randomized keysets for managed environments.
The corporate has additionally influenced the GSMA Software Word on secure eSIM utilization, selling consciousness of dangers and greatest practices.
Publicly out there since July 9, 2025, these paperwork underscore the collaborative effort to mitigate such threats industry-wide.
As eSIM adoption surges in 5G and past, Kigen plans ongoing enhancements, aligning with GSMA initiatives to evolve product safety.
Customers and producers are urged to use patches instantly and keep away from take a look at profiles in manufacturing, guaranteeing sturdy safety towards this evolving risk panorama.
This proactive stance highlights the resilience of eSIM expertise when fortified with well timed mitigations.
