A critical physical security flaw allows local attackers to bypass password protections and reset devices via USB, leading to a complete loss of device control and data access.

This vulnerability allows a local attacker with physical access to a device to trigger a full device reset. By providing an invalid reset file through a USB port, the attacker can bypass existing device passwords, effectively gaining unauthorized control over the hardware.

The ability to reset a device and bypass passwords represents a catastrophic failure of physical security controls. With a CVSS score of 7.7, this High-severity vulnerability could lead to the theft of the device and the subsequent loss of all stored data. For organizations, this means that any lost or unattended device could be completely compromised, leading to significant data breaches and regulatory non-compliance.

Immediate Action: Apply the vendor's firmware update immediately to disable the insecure USB reset mechanism or require proper authentication for reset procedures.

Proactive Monitoring: Implement physical security measures to prevent unauthorized USB access and use hardware asset management to track the location and status of all mobile devices.

Compensating Controls: Disable USB ports on sensitive hardware where not required, or use endpoint protection software that can block unauthorized USB storage devices and reset files.

Public Exploit Available: false

Immediate firmware updates are required for all affected hardware. Organizations should also review their physical security policies to ensure that sensitive devices are not left in unsecured areas. Relying on password protection is insufficient if the underlying hardware allows for an unauthenticated reset via a simple USB connection.