diff --git a/.github/workflows/test-powerfail-simulator.yml b/.github/workflows/test-powerfail-simulator.yml
index 4442abf8..bd00bb96 100644
--- a/.github/workflows/test-powerfail-simulator.yml
+++ b/.github/workflows/test-powerfail-simulator.yml
@@ -198,11 +198,18 @@ jobs:
       - name: Rebuild wolfboot.elf
         run: |
           make test-sim-internal-flash-with-delta-update
-
+      
       - name: Run update-revert test with power failures (DELTA)
         run: |
           tools/scripts/sim-update-powerfail-resume.sh
 
+      - name: Rebuild with wrong delta base version
+        run: |
+          make clean && make test-sim-internal-flash-with-wrong-delta-update
+
+      - name: Run negative update test with wrong base version (DELTA)
+        run: |
+          tools/scripts/sim-delta-wrongversion-update.sh
 
      # TEST with encryption (aes128)
       - name: make clean
diff --git a/tools/scripts/sim-delta-wrongversion-update.sh b/tools/scripts/sim-delta-wrongversion-update.sh
new file mode 100755
index 00000000..519d6ac0
--- /dev/null
+++ b/tools/scripts/sim-delta-wrongversion-update.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+V=`./wolfboot.elf update_trigger get_version 2>/dev/null`
+if [ "x$V" != "x1" ]; then
+    echo "Failed first boot with update_trigger"
+    exit 1
+fi
+
+# First boot: attempt update, should be rejected
+V=`./wolfboot.elf success get_version 2>/dev/null`
+if [ "x$V" != "x1" ]; then
+    echo "Error: Delta update with wrong image reported as successful."
+    exit 1
+fi
+
+# Second boot to verify system is alive
+V=`./wolfboot.elf success get_version 2>/dev/null`
+if [ "x$V" != "x1" ]; then
+    echo "Error: System is possibly unrecoverable"
+    exit 1
+fi
+echo "Update successfully rejected (V: $V)"
+
+echo Test successful.
+exit 0
+
+
diff --git a/tools/test.mk b/tools/test.mk
index 29c7a213..1e1a4028 100644
--- a/tools/test.mk
+++ b/tools/test.mk
@@ -237,6 +237,15 @@ test-sim-internal-flash-with-delta-update:
 		$$(($(WOLFBOOT_PARTITION_UPDATE_ADDRESS)-$(ARCH_FLASH_OFFSET))) test-app/image_v$(TEST_UPDATE_VERSION)_signed_diff.bin \
 		$$(($(WOLFBOOT_PARTITION_SWAP_ADDRESS)-$(ARCH_FLASH_OFFSET))) erased_sec.dd
 
+test-sim-internal-flash-with-wrong-delta-update:
+	make test-sim-internal-flash-with-update DELTA_UPDATE_OPTIONS="--delta test-app/image_v1_signed.bin"
+	make test-sim-internal-flash-with-update DELTA_UPDATE_OPTIONS="--delta test-app/image_v2_signed.bin" TEST_UPDATE_VERSION=3
+	$(Q)$(BINASSEMBLE) internal_flash.dd \
+		0 wolfboot.bin \
+		$$(($(WOLFBOOT_PARTITION_BOOT_ADDRESS) - $(ARCH_FLASH_OFFSET))) test-app/image_v1_signed.bin \
+		$$(($(WOLFBOOT_PARTITION_UPDATE_ADDRESS)-$(ARCH_FLASH_OFFSET))) test-app/image_v3_signed_diff.bin \
+		$$(($(WOLFBOOT_PARTITION_SWAP_ADDRESS)-$(ARCH_FLASH_OFFSET))) erased_sec.dd
+
 test-sim-update-flash: wolfboot.elf test-sim-internal-flash-with-update FORCE
 	$(Q)(test `./wolfboot.elf success update_trigger get_version` -eq 1)
 	$(Q)(test `./wolfboot.elf success get_version` -eq $(TEST_UPDATE_VERSION))