A critical flaw in eSIM technology has been discovered that enables attackers to clone mobile subscriber profiles and hijack user identities, raising serious concerns about the integrity of global mobile networks.
AG Security Research announced that it successfully compromised Kigen eUICC cards using GSMA consumer certificates. This marks what they describe as the first publicly disclosed attack against consumer-grade GSMA eUICC and EAL-certified security chips.
The research team was able to extract private ECC keys from the targeted eUICC cards. Using these keys, they retrieved eSIM profiles from leading mobile network operators, including AT&T, Vodafone, O2, Orange, and T-Mobile, in cleartext. This represents a major breach in a technology ecosystem that secures more than two billion SIMs worldwide, based on Kigen’s secure SIM operating system.
Exploiting a Java Card Vulnerability
The attack takes advantage of a type confusion flaw in the Java Card Virtual Machine, a vulnerability category similar to those reported in 2019. Researchers developed a proof-of-concept demonstrating how malicious applets could be installed using the OTA SMS-PP (Short Message Service Point to Point) protocol.
This vulnerability allows attackers to bypass various layers of protection, including EAL4 and EAL5 certifications, side-channel resistance, and Java Card runtime security. Attackers can carry out the attack either through physical access to the eSIM card and installation keys or remotely through over-the-air channels.
Key security elements exposed in the attack include the OPc key and the Authentication Management Field (AMF). These are critical components embedded in eSIM profiles that are supposed to remain strictly protected by network operators.
To assess the severity of the vulnerabilities, researchers built a security toolkit using the Basic Security Check (BSC) command, capable of analyzing the bytecode for weaknesses in Java Card implementations.
Real-World Cloning Test
The most concerning part of the study involved a real-world demonstration of eSIM cloning on Orange Poland’s network in July 2025. The researchers installed an identical eSIM profile on two separate eUICC cards. Once the cloned device was activated, it began receiving all SMS and voice calls intended for the original user.
This capability poses a serious threat to systems that rely on two-factor authentication via SMS, including platforms such as Gmail and online banking services. According to the researchers, the hijacking process is invisible to the victim, who receives no notification that their profile has been duplicated.
Vendor Response and Mitigation
In response to the findings, Kigen implemented strict type safety checks across roughly 180 Java Card bytecode instructions and worked with GSMA to revise the TS.48 Generic Test Profile specification.
Kigen also distributed security patches to millions of eSIMs and issued a public bulletin with mitigation guidelines. Meanwhile, GSMA has published updated application notes and shut down all test profiles to prevent further misuse through unauthorized Java Card app installations.
This incident underscores the need for stronger safeguards in the eSIM infrastructure and more rigorous testing of secure chip implementations used across mobile networks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
