Description
A missing lock verification in AMD Secure Processor (ASP) firmware may permit a locally authenticated attacker with administrative privileges to alter MMIO routing on some Zen 5-based products, potentially compromising guest system integrity.
Published: 2026-04-16
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Alteration of MMIO routing leading to guest system integrity compromise
Action: Update Firmware
AI Analysis

Impact

A missing lock verification in the AMD Secure Processor firmware can allow a locally authenticated attacker with administrative privileges to change MMIO routing on selected Zen 5 products. This flaw, classified as CWE‑414, compromises the ability of a guest system to maintain isolation and integrity. The attacker could re‑route memory‑mapped I/O to unauthorized devices, potentially enabling privilege escalation within the virtualized environment.

Affected Systems

AMD EPYC 7003 Series Processors, AMD EPYC 8004 Series Processors, AMD EPYC 9004 Series Processors, AMD EPYC 9005 Series Processors, AMD EPYC Embedded 7003 Series Processors, AMD EPYC Embedded 8004 Series Processors, AMD EPYC Embedded 9004 Series Processors, AMD EPYC Embedded 9005 Series Processors.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.9, indicating moderate severity. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, suggesting limited public exploitation at this time. Attacks would require local administrative access to the host, making it less likely to be a widespread threat but still significant for environments where privileged users have unchecked firmware control.

Generated by OpenCVE AI on April 17, 2026 at 02:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest AMD Secure Processor firmware update as outlined in AMD Bulletin AMD‑SB‑3034.
  • Restrict local administrative privileges by implementing role‑based access controls so that only trusted personnel can modify firmware settings.
  • Enable and monitor system logs for unauthorized MMIO configuration changes to detect potential exploitation.

Generated by OpenCVE AI on April 17, 2026 at 02:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title AMD Platform Security Processor: AMD EPYC 9005 Series CPUs: AMD Platform Security Processor: Information disclosure via missing lock check
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

threat_severity

Moderate

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Amd
Amd epyc 7003 Series Processors
Amd epyc 8004 Series Processors
Amd epyc 9004 Series Processors
Amd epyc 9005 Series Processors
Amd epyc Embedded 7003 Series Processors
Amd epyc Embedded 8004 Series Processors
Amd epyc Embedded 9004 Series Processors
Amd epyc Embedded 9005 Series Processors
Vendors & Products Amd
Amd epyc 7003 Series Processors
Amd epyc 8004 Series Processors
Amd epyc 9004 Series Processors
Amd epyc 9005 Series Processors
Amd epyc Embedded 7003 Series Processors
Amd epyc Embedded 8004 Series Processors
Amd epyc Embedded 9004 Series Processors
Amd epyc Embedded 9005 Series Processors

Thu, 16 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Missing lock check in AMD Platform Security Processor in AMD EPYC™ 9005 Series CPUs allows a privileged attacker to potentially impact guest confidentiality via local access. A missing lock verification in AMD Secure Processor (ASP) firmware may permit a locally authenticated attacker with administrative privileges to alter MMIO routing on some Zen 5-based products, potentially compromising guest system integrity.

Thu, 16 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Missing lock check in AMD Platform Security Processor in AMD EPYC™ 9005 Series CPUs allows a privileged attacker to potentially impact guest confidentiality via local access.
Weaknesses CWE-414
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Amd Epyc 7003 Series Processors Epyc 8004 Series Processors Epyc 9004 Series Processors Epyc 9005 Series Processors Epyc Embedded 7003 Series Processors Epyc Embedded 8004 Series Processors Epyc Embedded 9004 Series Processors Epyc Embedded 9005 Series Processors
cve-icon MITRE

Status: PUBLISHED

Assigner: AMD

Published:

Updated: 2026-05-13T03:14:06.848Z

Reserved: 2025-07-23T15:01:50.734Z

Link: CVE-2025-54510

cve-icon Vulnrichment

Updated: 2026-04-16T18:56:33.115Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T19:16:32.897

Modified: 2026-04-17T15:14:05.510

Link: CVE-2025-54510

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-16T18:44:10Z

Links: CVE-2025-54510 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:05:26Z

Weaknesses