The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2020-15858

CVE-2020-15858: Thales BGS5 Path Traversal Vulnerability

CVE-2020-15858 is a path traversal vulnerability in Thales BGS5 Firmware allowing physically proximate attackers to bypass directory access checks. This article covers technical details, affected versions, and mitigations.

Published: March 4, 2026

CVE-2020-15858 Overview

CVE-2020-15858 is a directory traversal vulnerability affecting multiple Thales DIS (formerly Gemalto, formerly Cinterion) IoT modules. The vulnerability allows physically proximate attackers to circumvent the directory path access check of the internal flash file system. This flash file system stores critical data including application-specific data, customer Java applications, TLS certificates, and OTAP (Java over-the-air-provisioning) functionality.

Critical Impact

Attackers with physical access can bypass file system security controls to access sensitive data including TLS certificates and Java application code stored on affected IoT modules.

Affected Products

  • Thales BGS5 up to and including SW RN 02.000 / ARN 01.001.06
  • Thales EHSx and PDSx up to and including SW RN 04.003 / ARN 01.000.04
  • Thales ELS61 up to and including SW RN 02.002 / ARN 01.000.04
  • Thales ELS81 up to and including SW RN 05.002 / ARN 01.000.04
  • Thales PLS62 up to and including SW RN 02.000 / ARN 01.000.04

Discovery Timeline

  • August 21, 2020 - CVE-2020-15858 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2020-15858

Vulnerability Analysis

This directory traversal vulnerability (CWE-22) exists in the internal flash file system access control mechanism of Thales DIS IoT cellular modules. The vulnerability stems from insufficient validation of file path inputs, allowing attackers to escape the intended directory boundaries and access protected areas of the flash storage.

The attack requires physical proximity to the vulnerable device, which limits the attack surface but remains significant in deployment scenarios where IoT devices may be installed in accessible locations. Once exploited, an attacker can access sensitive data that should be protected by the file system's access controls.

The impact is particularly concerning because the flash file system stores security-critical data including TLS certificates used for secure communications, Java applications that may contain business logic or credentials, and OTAP provisioning data. Compromise of these elements could lead to broader system compromise, credential theft, or the ability to impersonate legitimate devices.

Root Cause

The root cause is an improper path validation flaw in the internal flash file system's access control mechanism. The path checking routine fails to properly sanitize or validate directory traversal sequences (such as ../) in file path inputs, allowing attackers to navigate outside of permitted directories. This represents a classic directory traversal vulnerability where input validation is insufficient to prevent path escape attempts.

Attack Vector

The attack requires physical access to the affected IoT module. An attacker with such access can craft malicious file path requests that include directory traversal sequences to bypass the intended access restrictions on the flash file system. By escaping the designated directory boundaries, the attacker gains unauthorized access to read or potentially modify sensitive files stored in protected areas of the flash storage.

The exploitation methodology involves sending specially crafted path requests through available interfaces that allow attackers to traverse beyond the intended directory scope. This could potentially be achieved through debug interfaces, AT command interfaces, or other communication channels available when physical access is obtained.

Detection Methods for CVE-2020-15858

Indicators of Compromise

  • Unusual access patterns to the internal flash file system on affected IoT modules
  • Evidence of directory traversal attempts in device logs (sequences containing ../ or similar patterns)
  • Unauthorized modifications to TLS certificates or Java application files
  • Unexpected changes to OTAP configuration or provisioning data

Detection Strategies

  • Monitor physical access to deployed IoT devices, particularly in uncontrolled environments
  • Implement file integrity monitoring on critical flash file system contents where device capabilities permit
  • Review device logs for evidence of abnormal file system access patterns or traversal attempts
  • Deploy tamper-evident enclosures or physical security controls for IoT devices in accessible locations

Monitoring Recommendations

  • Maintain an accurate inventory of all Thales DIS IoT modules deployed in your environment
  • Implement regular firmware version audits to identify unpatched devices
  • Establish alerting for physical access to IoT device enclosures in sensitive deployments
  • Monitor for unauthorized certificate changes or Java application modifications through device management platforms

How to Mitigate CVE-2020-15858

Immediate Actions Required

  • Identify all Thales DIS IoT modules in your environment and catalog their firmware versions
  • Prioritize firmware updates for devices in physically accessible or uncontrolled locations
  • Implement physical security controls to restrict unauthorized access to affected devices
  • Review and backup current TLS certificates and Java applications before applying updates

Patch Information

Thales has released firmware updates to address this vulnerability. Organizations should consult the Thales Security Updates for Cinterion IoT Modules page for specific patched firmware versions for each affected product line.

The following minimum firmware versions should be applied:

  • BGS5: Firmware versions after SW RN 02.000 / ARN 01.001.06
  • EHSx and PDSx: Firmware versions after SW RN 04.003 / ARN 01.000.04
  • ELS61: Firmware versions after SW RN 02.002 / ARN 01.000.04
  • ELS81: Firmware versions after SW RN 05.002 / ARN 01.000.04
  • PLS62: Firmware versions after SW RN 02.000 / ARN 01.000.04

Workarounds

  • Deploy affected IoT devices in physically secured enclosures to prevent unauthorized physical access
  • Implement tamper detection mechanisms where available to alert on physical access attempts
  • Disable or restrict unnecessary interfaces that could be used for exploitation when physical access is obtained
  • Consider network segmentation to limit the impact if device credentials are compromised
bash
# Firmware version verification example
# Check current firmware version via AT command interface
AT^SIND
# Review device inventory for affected firmware versions
# Consult Thales documentation for product-specific version commands

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePath Traversal
  • Vendor/TechThalesgroup
  • SeverityMEDIUM
  • CVSS Score6.4
  • EPSS Probability0.28%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-22
  • Technical References
  • Packet Storm Heap Overflow Exploit
  • Full Disclosure April 2023 Post
  • Vendor Resources
  • Thales Security Update for IoT
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-35471: Goshs Path Traversal Vulnerability
  • CVE-2026-35393: Goshs Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English