CVE-2025-35969 - Vulnerability Details

- Privilege Escalation via Uncontrolled Search Path in Intel Server Firmware Update Utility

Description

Uncontrolled search path for some Intel(R) Server Firmware Update Utility Software before version 16.0.12. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Published: 2026-05-12

Score: 5.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Uncontrolled manipulation of the system search path allows a local attacker with authenticated user privileges to execute arbitrary code at higher privilege levels. The vulnerability exists in the Intel Server Firmware Update Utility and could lead to unauthorized modification of files, disclosure of sensitive data, or denial of service for system functions. "Confidentiality, integrity, and availability" of the affected system might be severely compromised if the attacker achieves escalation.

Affected Systems

The Intel Server Firmware Update Utility, versions prior to 16.0.12, on servers running Intel firmware infrastructure are vulnerable. Systems that still use older builds of the utility are at risk of privilege exploitation through this flaw.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate impact. EPSS is not available and the flaw is not listed in CISA KEV, suggesting limited current exploitation evidence. The attacker must have local authenticated access and achieve a high complexity attack, typically involving active user interaction or modification of the PATH environment or placement of malicious binaries in directories that are searched. Once an attacker can redirect the search path, execution of attacker‑controlled code occurs with elevated privileges, thus generating a high impact on confidentiality, integrity, and availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

Intel(R) Server Firmware Update Utility Software

unaffected

Version	Status	Constraints
`before version 16.0.12.`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Intel Server Firmware Update Utility to version 16.0.12 or later.
Restrict or remove nontrusted directories from the system PATH environment variable.
Configure filesystem permissions so that only privileged users can write to directories used by the firmware update utility.
Continuously monitor PATH modifications and unexpected executable deployments as part of a security auditing process.

Generated by OpenCVE AI on May 12, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity High

Privileges Required Low

Attack Requirements Present

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01410.html

History

Tue, 12 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Title		Privilege Escalation via Uncontrolled Search Path in Intel Server Firmware Update Utility

Tue, 12 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Uncontrolled search path for some Intel(R) Server Firmware Update Utility Software before version 16.0.12. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Weaknesses		CWE-427
References		https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01410.html
Metrics		cvssV4_0 `{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: intel

Published: 2026-05-12T16:35:07.342Z

Updated: 2026-05-12T17:06:46.571Z

Reserved: 2025-04-15T21:18:44.473Z

Link: CVE-2025-35969

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-12T17:16:13.210

Modified: 2026-05-12T17:16:13.210

Link: CVE-2025-35969

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T18:00:12Z

Weaknesses

CWE-427

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Attack Requirements Present

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object