NXP i.MX Product Family

Monitor6ICS-CERT ICSA-17-152-02Jun 1, 2017

Attack VectorPhysical

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

NXP i.MX product family processors contain stack buffer overflow (CWE-121) and improper certificate validation (CWE-295) vulnerabilities in the bootloader. These allow physical attackers with access to debug interfaces or firmware modification capabilities to execute arbitrary code during the boot process. Affected products include the i.MX 6 series (Solo, DualLite, Dual, Quad, SoloX, DualPlus, QuadPlus), i.MX 7 series (Solo, Dual), i.MX 28, Vybrid VF3xx/VF5xx/VF6xx, and other variants. The advisory notes that exploitation requires physical access or specialized tools and does not indicate active exploitation in the wild.

What this means

What could happen

An attacker with physical access to the device or the ability to modify firmware could exploit these bootloader vulnerabilities to run arbitrary code during device startup, potentially taking full control of the system and any connected industrial equipment or sensors.

Who's at risk

This affects equipment manufacturers and system integrators using NXP i.MX processors in industrial controllers, PLCs, RTUs, drives, gateways, and embedded devices. Any OT equipment with i.MX 6 or i.MX 7 series processors in power systems, water treatment, manufacturing, or other critical infrastructure is potentially affected. End-users operating equipment built on these processors should determine if their devices use vulnerable components.

How it could be exploited

An attacker must have physical access to the device or modify the firmware before boot. They could exploit the stack buffer overflow in the bootloader (CWE-121) or bypass certificate validation (CWE-295) to load malicious code during the boot sequence, gaining complete control of the processor and any connected equipment.

Prerequisites

Physical access to debug interfaces (JTAG, serial port)
Ability to modify or replace firmware before device boot
Specialized tools to interact with bootloader
Access to unencrypted or weakly protected firmware storage

No patch availableAffects boot-level code (highest privilege)Low EPSS score (0.2%) but physical access required limits immediate riskImpacts processor family broadly (multiple product lines)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (18)

18 EOL

ProductAffected VersionsFix Status

6UltraLit - *All versionsNo fix (EOL)

6SoloLite - *All versionsNo fix (EOL)

50 - *All versionsNo fix (EOL)

53 - *All versionsNo fix (EOL)

6ULL - *All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIdentify all equipment and devices in your network using NXP i.MX processors (particularly i.MX 6 and i.MX 7 series); consult equipment datasheets and vendor documentation

HARDENINGPhysically secure devices to prevent unauthorized access to debug ports (JTAG, serial console) and firmware storage

HARDENINGImplement access controls to firmware update mechanisms and restrict who can physically access device internals or debug interfaces

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXIf updates or firmware patches become available from your equipment vendor, apply them during scheduled maintenance windows

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: 6UltraLit - *, 6SoloLite - *, 50 - *, 53 - *, 6ULL - *, 6Solo - *, 6DualLite - *, 6SoloX - *, 6Dual - *, 6Quad - *, 6QuadPlus - *, Vybrid VF3xx - *, Vybrid VF5xx - *, Vybrid VF6xx - *, 28 - *, .MX 7Solo - *, 7Dual - *, 6DualPlus - *. Apply the following compensating controls:

HARDENINGMonitor for firmware integrity changes using vendor-supplied validation tools if available

CVEs (2)

CVE-2017-7936 CVE-2017-7932

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4dd6cf14-a0ba-41bc-804e-4ebde450057c