Cybersecurity researchers have discovered a new hacking technique that exploits weaknesses in the eSIM technology used in modern smartphones, exposing users to severe risks.
The issues impact the Kigen eUICC card. According to the Irish company's website, more than two billion SIMs in IoT devices have been enabled as of December 2020.
The findings come from Security Explorations, a research lab of AG Security Research company. Kigen awarded the company a $30,000 bounty for their report.
An eSIM, or embedded SIM, is a digital SIM card that's embedded directly into a device as software installed onto an Embedded Universal Integrated Circuit Card (eUICC) chip.
eSIMs allow users to activate a cellular plan from a carrier without the need for a physical SIM card. eUICC software offers the ability to change operator profiles, remote provisioning, and management of SIM profiles.
"The eUICC card makes it possible to install the so-called eSIM profiles into the target chip," Security Explorations said. "eSIM profiles are software representations of mobile subscriptions."
According to an advisory released by Kigen, the vulnerability is rooted in the GSMA TS.48 Generic Test Profile, versions 6.0 and earlier, which is said to be used in eSIM products for radio compliance testing.
Specifically, the shortcoming allows for the installation of non-verified, and potentially malicious applets. GSMA TS.48 v7.0, released last month, mitigates the problem by restricting the use of the test profile. All other versions of the TS.48 specification have been deprecated.
"Successful exploitation requires a combination of specific conditions. An attacker must first gain physical access to a target eUICC and use publicly known keys," Kigen said. "This enables the attacker to install a malicious JavaCard applet."
Furthermore, the vulnerability could facilitate the extraction of the Kigen eUICC identity certificate, thereby making it possible to download arbitrary profiles from mobile network operators (MNOs) in cleartext, access MNO secrets, and tamper with profiles and put them into an arbitrary eUICC without being flagged by MNO.
Security Explorations said the findings build upon its own prior research from 2019, which found multiple security vulnerabilities in Oracle Java Card that could pave the way for the deployment of a persistent backdoor in the card. One of the flaws also impacted Gemalto SIM, which relies on the Java Card technology.
These security defects can be exploited to "break memory safety of the underlying Java Card VM" and gain full access to the card's memory, break the applet firewall, and potentially even achieve native code execution.
However, Oracle downplayed the potential impact and indicated that the "security concerns" did not affect their production of Java Card VM. Security Explorations said these "concerns" have now been proven to be "real bugs."
The attacks might sound prohibitive to execute, but, to the contrary, they are well within the reach of capable nation-state groups. They could allow the attackers to compromise an eSIM card and deploy a stealthy backdoor, effectively intercepting all communications.
"The downloaded profile can be potentially modified in such a way, so that the operator loses control over the profile (no ability for remote control / no ability to disable/invalidate it, etc.), the operator can be provided with a completely false view of the profile state or all of its activity can be subject to monitoring," the company added.
"In our opinion, the ability for a single broken eUICC / single eUICC GSMA cert theft to peek into (download in plaintext) eSIMs of arbitrary MNO constitutes a significant eSIM architecture weak point."
Update
Following the publication of the story, Kigen told The Hacker News that the security vulnerability is limited to a specific variant of Kigen eSIM OS, which was created with specific configurations to support developmental and compliance testing of devices.
The company also said it notified all affected customers and direct users of the issue and that it has received confirmation from customers acknowledging the successful update to their devices via the security measures implemented.
Furthermore, Kigen acknowledged the efforts of AG Security Research for discovering this vulnerability and the members of the GSMA eSIM Working Group and the GSMA team for additional coordinated action.
The salient aspects of the statement from the company is reproduced verbatim below -
In response to the issue raised, Kigen has published a Security Bulletin (reference: KGNSB-07-2025) dated 9 July 2025, which directly addresses the vulnerability cited in AG Security’s findings. This bulletin is available through the Kigen Security Center (link).
Kigen issued an Over-The-Air (OTA) security update across its customer base to address this vulnerability, prioritizing deployment based on device type and network availability. The update consists of a two-layer mitigation approach. First, an operating system security patch was applied to prevent unauthorized applet loading in devices where the GSMA TS.48 Generic Test Profile is present. Kigen OS now also includes additional countermeasures against unverified Java Card® bytecode. Where requested specifically, the test profile will only include randomized keysets. Second, a modified test profile was issued, significantly reducing risk by removing the Remote Applet Management keys.
Furthermore, Kigen has taken proactive steps to contribute to the broader industry response coordinated by the GSMA. This includes sharing our mitigation strategy to support revision to the TS.48 Generic Test Profile specification (now, TS.48 v7.0) and formulating associated risk prevention and mitigation guidance. Kigen will continue to make further security enhancements available as necessary as part of the GSMA collaborative effort.
The circumstances in which the security vulnerability highlighted by AG Security Research can be exploited require specific conditions to be true. To achieve a successful attack, the attacker must have physical access to an eUICC with publicized keysets, would need to force the eSIM to enable the Test Profile via a test mode. Once this is done, the eSIM is not remotely accessible or connected to a mobile network. Not all eUICC products have the test profile or can be forced into test mode. The attack impacted Kigen eSIM OS ECu10.13, a specific eSIM product variant tailored towards development use.
Further, the GSMA guidance, issued to its members as an application note, now recommends that Java Card bytecode be verified before installing any third-party application. The new versions of the eSIM specifications, currently being drafted at GSMA with the involvement of Kigen, will mandate Java Card bytecode verification.
(The story was updated after publication on July 23, 2025, to include a response from Kigen.)
