Security Advisory SB-2025-03: DP Cards

Published: 2025-10

CVSS Severity: 4.6

Summary

A vulnerability has been identified that may allow bypassing the authentication mechanism of the Private Partition feature on certain Swissbit SD and microSD cards.
An adversary with local or physical access could potentially read out data from a protected Private Partition, circumventing the PIN / SO-PIN login mechanism.
This vulnerability does not allow data modification or deletion.

Affected Feature

  • Private Partition (Private RO, Private RW) feature only.

  • The issue affects devices actively using the Private Partition functionality.

  • The vulnerability allows partial read-out of data from a protected area without proper authentication.

  • Data modification, overwriting, or erasure cannot be performed using this vulnerability.

Not Affected Features

  • The PIN / SO-PIN mechanism itself (authentication logic) is unaffected.

  • Other protection features such as:

  • Authenticity Secret

  • NVRAM confidentiality

  • Public protection profiles

  • are not impacted.

  • USB-based products and Fiscal SD products using Private Partitions are not affected.

Affected Product Series

End-of-Life Products

  • PS-45 DP

  • PS-45 SE/PE

  • PS-450 SE/PE

  • PS-450u DP

  • PS-450u SE/PE

  • PS-45u DP

  • PS-45u SE/PE

  • PS-46 DP

  • PS-46u DP

Products in Production

  • PS-66 DP

  • PS-66 SE/PE

  • PS-66u DP

  • PS-66u SE/PE

  • PS-66u

  • Security Upgrade Kit

A complete list of affected part numbers can be found in the appendix below.

Fixed Software / Mitigation

  • The affected firmware (CFE) cannot be upgraded in the field.

  • Swissbit can perform firmware patching at its facilities upon customer request.

  • An upgradable firmware feature is under development and will be released soon.

  • Products manufactured after 01.08.2025 will include the security patch and are not affected.

Exploitation and Public Disclosure

  • No known exploitation or public disclosure of this vulnerability has occurred.

  • A responsible disclosure process is ongoing with the reporting researcher.

Source and Acknowledgments

Swissbit would like to thank an independent security researcher for responsibly reporting this vulnerability.

CVSS Information

  • CVSS Score: 4.6 (Medium)

  • Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

  • Impact: Local attackers with physical access could gain unauthorized read-only access to data within the Private Partition.

Identification of vulnerable devices

Devices produced before August 2025 are affected. Our guide explains several ways to check the manufacturing date:
https://community.swissbit.com/c/tools-and-code/how-to-identify-the-production-date-of-your-swissbit-card

How-To identify vulnerable devices directly by the firmware version (CFE App Version) is described in our Firmware/Application version guide:
https://community.swissbit.com/c/tools-and-code/identification-of-firmware-application-versions-of-security-cards

Affected Products

Affected Part Numbers

Besuchen Sie uns:

Abonnieren Sie unseren Newsletter

Bleiben Sie mit Swissbit in Kontakt und erhalten Sie die neuesten Informationen. Der Swissbit Newsletter informiert Sie regelmäßig über Neuigkeiten rund um Speicher- und Sicherheitslösungen sowie über aktuelle Veranstaltungen und neue Produkte.

Jetzt abonnieren

Über Swissbit

Swissbit bietet branchenführende Speicher- und Sicherheitslösungen für zuverlässige Datenspeicherung, wirksamen Schutz sensibler Informationen und sicheren Zugriff auf kritische Anwendungen. So unterstützen wir unsere Kunden dabei, die digitale Transformation in verschiedensten Branchen voranzutreiben.

Mehr Swissbit

Made in Germany
Vertriebspartner
Karriere
Kontakt
© 2026 Swissbit AG
Impressum
Datenschutz
Copyright-Hinweis
AGBs
Blog
Rücknahme & Recycling
Cookie Einstellungen