CVE-2024-7726

Name of the Vulnerable Software and Affected Versions Kioxia PM6, PM7, and CM6 devices (affected versions not specified)

Description The issue concerns an unauthenticated accessible JTAG port on the Kioxia PM6, PM7, and CM6 devices. This port is exposed on the drive's circuit board and can be accessed without opening the disk enclosure due to the wide cutout of the enclosures. An attacker with temporary physical access can utilize the JTAG debug port to get full access to the firmware and memory on the 2 main CPU cores within the drive. This access includes the execution of arbitrary code, the modification of firmware execution flow and data, or bypassing the firmware signature verification during boot-up.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.