Title: KGNSB-07-2025 – Patches Distributed and All Customers Notified: GSMA TS.48 Test Profile Vulnerability and JavaCard Runtime Hardening
Article Ref: KGNSB-07-2025
Document type: Security bulletin
Public date: July 9th, 2025
A vulnerability in the GSMA TS.48 Generic Test Profile (v6.0 and earlier), used in all eSIM products across the industry for radio compliance testing, allows installation of non-verified, and potentially malicious applets. Kigen has issued an OS patch, and contributed to the GSMA TS.48 v7.0 specification.
The patch has been distributed to all Kigen customers.
The GSMA Generic Test Profile TS.48 is designed for controlled testing and is not recommended for installation or application management in any production environment.
Kigen customers have access to a two-layer mitigation strategy that fully addresses this risk, distributed through a standardized Over the Air (OTA) Remote File Management.
Together, these enhanced safeguards prevent rogue apps from being loaded and go beyond profile-level fixes by reinforcing the foundational security model of eSIMs.
Kigen has contributed this approach and recommendation to support the wider industry response to avoid the misuse of RAM keys. These ideas are now included in the updated specification document GSMA TS.48 v7.0 Generic eUICC Test Profile for Device Testing and the GSMA Application Note detailing guidelines for safe use of eSIM specifications. Publicly available documents are referenced below to promote awareness of associated risks and responsible actions.
Kigen will make further security enhancements available as necessary as part of ongoing product evolution and the GSMA collaborative effort.
Successful exploitation requires a combination of specific conditions. An attacker must first gain physical access to a target eUICC and use publicly known keys.
This enables the attacker to install a malicious JavaCard applet.
Most eUICCs are not vulnerable – many cannot be forced into test mode or lack exposed publicly known keys. As a precaution in GSMA TS.48 v7, use of TS.48 test profiles is now restricted, either to safer test profiles without remote applet loading capabilities, or those with randomized and confidential keysets during controlled testing. The Kigen OS also now prohibits JavaCard Applet Installation on any Test Profile.
Kigen would like to thank AG Security Research for discovering and responsibly disclosing this vulnerability and the members of the eSIM Working Group and wider GSMA team for additional coordinated action.
TS.48 v7.0 Generic eUICC Test Profile for Device Testing, Published 18th June, 2025, GSMA Website.