The National Information Technology Development Agency has issued a public warning about a newly discovered security flaw in embedded SIM technology, which could expose billions of smartphones, tablets, wearables, and Internet of Things devices to large-scale cyberattacks.

The agency explained that the vulnerability stems from the GSMA TS 48 Generic Test Profile (version 6.0 and earlier), commonly used in radio compliance testing of eUICC (Embedded Universal Integrated Circuit Card) chips.

With over 2 billion devices at risk globally, the flaw could allow attackers to gain remote or physical access to devices, install malicious applets, steal cryptographic keys, or even clone eSIM profiles. Such exploits may lead to communication interception, persistent device control, and the creation of stealth backdoors at the SIM card level.

To curb the threat, NITDA urged device manufacturers and service providers to deploy Kigen OS patches through over-the-air (OTA) updates and to upgrade to the GSMA TS.48 version 7.0 standard while removing outdated test profiles. The agency stressed that immediate action is critical to sealing potential exploitation paths and protecting users from one of the most serious cybersecurity risks in recent years.

Nigeria began its eSIM journey in 2020 when the Nigerian Communications Commission approved MTN and 9mobile to conduct a one-year trial with 5,000 eSIMs, subject to regulatory conditions.