• News
  • Positive Technologies helps AMD patch a vulnerability across four major chip lines
News

Positive Technologies helps AMD patch a vulnerability across four major chip lines

Prior to the patch, the flaw could have been exploited for espionage, data theft, malicious code execution, and bypassing security tools to launch sophisticated attacks
 

Timofey Duditsky, a researcher at the Positive Technologies Expert Security Center (PT ESC), has helped patch a critical vulnerability affecting the AMD EPYC, Ryzen, EPYC, and Ryzen Embedded processors. AMD is the world's second-largest chip developer, holding a 37% share of the global processor market.1 The security flaw affected 56 chip models, including lower-cost series such as the Athlon 3000, Ryzen 5000, and Ryzen 6000 with Radeon graphics. The vulnerability threatened everyday users, businesses, and government agencies across different countries. In attacks on organizations, threat actors could remain undetected in compromised systems for a long time, move laterally across internal networks, spy on victims, and steal sensitive data. The vendor was informed of the threat in accordance with the responsible disclosure policy and has since released firmware updates.

AMD EPYC processors are widely used in data centers, high-performance computing (HPC) systems, as well as virtualization and containerization environments. AMD Ryzen multi-core processors are designed for desktop, mobile, server, and embedded platforms, handling a wide range of tasks—from running basic office applications to resource-intensive computing. Among other things, they power home and corporate laptops and desktop PCs. The embedded processor families of AMD EPYC and Ryzen are used in networking solutions, data storage systems, medical imaging, industrial systems, thin clients, and digital games.
 

1 According to data from the world's largest CPU benchmarking website, cpubenchmark.net, as of Q2 2026, this figure includes only processors installed in desktops, laptops, and servers, excluding gaming consoles and certain mobile devices.

The vulnerability, tracked as PT-2026-33 1682 (CVE-2025-54 502; BDU: 2025-10 277), was assigned a CVSS 4.0 score of 7.1, indicating high severity. Timofey Duditsky discovered the flaw in the motherboard firmware (UEFI), specifically within the SMM driver responsible for the AMD Platform Configuration Blob component. The manufacturer failed to adequately secure the processor's most privileged execution mode—System Management Mode (SMM)—which is used to manage the platform, its power, security, and other functions.

The vulnerability stems from the incorrect use of boot service in the vulnerable driver. This service should never be used while the processor is operating in SMM. According to Timofey Duditsky, such security issues often arise from oversights during initial software development or subsequent component updates. Additionally, developers may neglect code optimization or testing, leaving behind flaws that could have been easily resolved during the early stages of development.
 

2 The security vulnerability has been registered on the dbugs portal, which aggregates data on vulnerabilities in software and hardware from vendors around the world.

An attacker could carry out attacks either through physical access to the target device or locally, provided they already had kernel-level access. To successfully exploit this now-patched vulnerability, one of the following two conditions had to be met:

  • Execution of the exploit chain.3 The most dangerous scenario involves local exploitation. Attackers would need to bypass Secure Boot,4 find and exploit an additional vulnerability5 to gain read and write access to SMM memory, and then exploit PT-2026-33 168 to inject malicious code (such as a backdoor). If the attackers had gained physical access, a memory read and write vulnerability would have been sufficient for a successful attack.
  • Improper motherboard configuration by the manufacturer. For instance, the vendor might have incorrectly configured the protection of the memory region dedicated to SMM.

3 A computer program, piece of code, or series of instructions that take advantage of vulnerabilities in software or hardware and are used for attacks on the system.

4 Secure Boot is a UEFI specification component developed by Microsoft in collaboration with hardware manufacturers to protect the operating system boot process from malware.

5 This specific vulnerability does not currently exist; the researcher theorized how an attacker could launch a full-scale attack using PT-2026-33 168.

"Because these vulnerable chips are so widely used globally—from home laptops to data centers—the threat was extremely serious. If attackers had managed to exploit this flaw, users would have had no way of knowing that an illegitimate module executing malicious commands had been implanted into their motherboard firmware. If attackers compromised corporate hosts, they would have gained complete freedom of action. They would have remained invisible to most security solutions and could have maintained their malicious activity even after the operating system was reinstalled. Government agencies and commercial enterprises would be the most likely targets. PT ESC's incident response experience shows that this type of flaw is highly effective for conducting sophisticated, high-tech attacks aimed at establishing persistence within a victim's infrastructure. Using PT-2026-33 168, cybercriminals could have spent months spying on employees, stealthily stealing valuable data, and moving laterally across corporate networks."

Timofey Duditsky
Timofey DuditskyVulnerability Analyst at PT ESC

The expert also highlighted several other potential attack scenarios, including:

  • Covert, long-term spying on victims
  • Extraction of personal and corporate data from compromised services and systems
  • Execution of malicious code (or program) to gain maximum privileges within the operating system
  • Bypassing deployed security solutions to further advance the attack
  • Destructive impact on the device, such as causing a denial-of-service (DoS) condition (for example, if an error occurs while writing to the SPI ROM)

To stay protected, users and organizations should follow AMD's recommendations and install the necessary driver updates. If installing the update is not possible, Timofey Duditsky advises enabling Secure Boot, which protects the operating system by preventing the loading of malicious code before the OS even starts. Users should also secure their physical workspaces to prevent the connection of unauthorized or suspicious USB drives. Operating systems should be updated immediately upon the release of patches, as these updates may include fixes for the Secure Boot protocol to ensure it functions correctly.
 

Additional recommendations, primarily aimed at IT and information security departments, include restricting physical access to mission-critical systems containing the vulnerable component and prohibiting the loading of custom UEFI images. Administrators should also disable Legacy USB, Thunderbolt, and PCI-e Hot-Plug features in the system settings, activate BIOS Lock,6 and use built-in security tools. Finally, using antivirus software with kernel integrity monitoring capabilities and defenses against DMA attacks (such as Intel VT-d and AMD-Vi) is highly advised.

For up-to-date security information, visit the dbugs portal, which aggregates vulnerability data and vendor recommendations for software and hardware from vendors around the world.

6 A security feature that restricts access to BIOS settings and prevents unauthorized modifications.