A major security vulnerability has been uncovered in the GSMA TS.48 Generic Test Profile, a standard used across the global eSIM industry for radio compliance testing.
This flaw, affecting version 6.0 and earlier, permits the installation of non-verified and potentially hostile JavaCard applets on eSIM devices.
Kigen, a leading provider of eSIM solutions, recognized the issue and responded rapidly by distributing an urgent operating system (OS) patch to its entire customer base and contributing enhancements to the GSMA TS.48 v7.0 specification.
Critical Flaw in GSMA TS.48 Test Profile
The GSMA TS.48 test profile is widely deployed in test environments to ensure mobile devices comply with radio performance standards.
However, the permissive nature of this profile, originally intended for use in tightly controlled lab settings, inadvertently exposed a door for attackers: with physical access to a device and knowledge of publicly available keys, they could bypass security checks.
This loophole potentially enables loading of malicious JavaCard applets, opening avenues for eSIM cloning, mobile identity theft, and persistent device compromise.
The heart of the vulnerability lies in the Remote Applet Management (RAM) feature included within test profiles.
RAM keys, sometimes publicly documented for interoperability in test scenarios, can be misused if eSIMs with the test profile are present on devices outside of lab conditions.
If exploited, attackers could install rogue applications that intercept, modify, or exfiltrate sensitive SIM operations effectively assuming the device’s mobile identity.
Vendors Rush to Patch
According to the Report, Kigen’s security bulletin (KGNSB-07-2025) outlines a robust two-pronged mitigation strategy now deployed for all customers.
First, a security patch delivered via standardized Over-the-Air (OTA) remote file management blocks any unauthorized installation of JavaCard applets whenever the TS.48 test profile is active in the field, regardless of key exposure.
Second, new “safer” test profiles roll out by default without RAM keys; if RAM is strictly necessary, only randomized and confidential keys are now used.
Furthermore, Kigen’s latest OS release goes further, completely prohibiting applet installation on devices running any test profile an essential step, since current JavaCard standards cannot reliably enforce bytecode verification on test profiles.
Crucially, most deployed eUICCs (embedded Universal Integrated Circuit Cards, or eSIMs) are not vulnerable to this exploit.
Many cannot be forced into test mode, do not allow profile swapping outside authorized contexts, or have never had publicly-known RAM keys exposed.
Still, industry-wide precautionary action is now in place: GSMA’s revised TS.48 v7.0 restricts test profiles to use strictly randomized keysets and explicitly bans remote applet management in uncontrolled environments.
New application notes and public guidelines make clear that test profiles must never be deployed in production or field devices.
Kigen and the GSMA urge all vendors and developers to audit their inventories, ensure all devices are patched, and avoid loading test profiles in customer-facing environments.
The collaborative industry effort highlights the delicate balance required in security engineering: tools designed for validation and testing must never leak into production, where their built-in trust assumptions no longer hold.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
