Security researchers have uncovered critical vulnerabilities in Kigen’s eSIM (embedded SIM) technology, raising concerns over the security of more than two billion devices worldwide. The flaws, which impact smartphones and a vast array of Internet of Things (IoT) products, could enable attackers to remotely compromise devices, intercept private communications, and steal sensitive subscriber data.
Vulnerability Details
The vulnerabilities stem from weaknesses in the Java Card virtual machine implementation on Kigen’s embedded Universal Integrated Circuit Card (eUICC) chips. These chips serve as the cornerstone of modern eSIM technology, managing digital SIM profiles and safeguarding cryptographic keys essential for secure mobile communications.
Researchers identified exploitable type confusion vulnerabilities—issues previously reported to Oracle in 2019 but left unaddressed in Kigen’s implementation. By leveraging these flaws, attackers could gain unauthorized access to protected memory areas, extract critical cryptographic keys, and clone eSIM profiles. This, in turn, could allow malicious actors to impersonate users, intercept calls and messages, and even render eSIM chips inoperable.
Attack Vectors and Scope
The primary attack scenario requires brief physical access to a target device, as well as knowledge of certain cryptographic keys, enabling the installation of malicious Java Card applets. In some cases, attackers could exploit over-the-air (OTA) provisioning messages, particularly if devices are operating with insecure test profiles or exposed keys.
The scale of the threat is significant: Kigen’s eSIM technology is embedded in more than two billion devices globally, spanning consumer, industrial, and enterprise applications. Potential consequences include unauthorized cloning of eSIM profiles, theft of sensitive network authentication data, interception of two-factor authentication codes, and persistent device compromise.
Industry Response and Mitigation
Upon discovery, the vulnerabilities were promptly disclosed to Kigen and the GSM Association (GSMA) in early 2025. In response, Kigen collaborated with the GSMA to update the relevant test profile specifications (GSMA TS.48 v7.0) and issued patches to millions of affected eSIMs. Key mitigations include disabling remote applet installation in test profiles and strengthening the Java Card virtual machine to prevent bytecode manipulation.
Kigen has stated that most commercial eUICCs are not vulnerable, particularly those not utilizing test profiles or exposed keys. However, security experts caution that the underlying Java Card vulnerabilities could impact a broader range of products if not comprehensively addressed.
