diff --git a/subsys/mgmt/osdp/src/osdp_pd.c b/subsys/mgmt/osdp/src/osdp_pd.c
index c19fc6d7223..a3b7366b324 100644
--- a/subsys/mgmt/osdp/src/osdp_pd.c
+++ b/subsys/mgmt/osdp/src/osdp_pd.c
@@ -523,8 +523,14 @@ static int pd_decode_command(struct osdp_pd *pd, uint8_t *buf, int len)
 		if (len != CMD_SCRYPT_DATA_LEN) {
 			break;
 		}
+		ret = OSDP_PD_ERR_REPLY;
 		if (!pd_cmd_cap_ok(pd, NULL)) {
-			ret = OSDP_PD_ERR_REPLY;
+			break;
+		}
+		if (sc_is_active(pd)) {
+			pd->reply_id = REPLY_NAK;
+			pd->ephemeral_data[0] = OSDP_PD_NAK_SC_COND;
+			LOG_ERR("Out of order CMD_SCRYPT; has CP gone rogue?");
 			break;
 		}
 		for (i = 0; i < CMD_SCRYPT_DATA_LEN; i++) {
diff --git a/subsys/mgmt/osdp/src/osdp_phy.c b/subsys/mgmt/osdp/src/osdp_phy.c
index d1ddba048e7..864c326e296 100644
--- a/subsys/mgmt/osdp/src/osdp_phy.c
+++ b/subsys/mgmt/osdp/src/osdp_phy.c
@@ -385,6 +385,12 @@ int osdp_phy_decode_packet(struct osdp_pd *pd, uint8_t *buf, int len)
 			pd->ephemeral_data[0] = OSDP_PD_NAK_SC_COND;
 			return OSDP_ERR_PKT_FMT;
 		}
+		if (!sc_is_active(pd) && pkt->data[1] > SCS_14) {
+			LOG_ERR("Received invalid secure message!");
+			pd->reply_id = REPLY_NAK;
+			pd->ephemeral_data[0] = OSDP_PD_NAK_SC_COND;
+			return OSDP_ERR_PKT_FMT;
+		}
 		if (pkt->data[1] == SCS_11 || pkt->data[1] == SCS_13) {
 			/**
 			 * CP signals PD to use SCBKD by setting SB data byte