Description
Missing authentication in the KVM key download endpoint could allow an unauthenticated attacker with knowledge of the exposed URL to retrieve sensitive keys, potentially leading to loss of confidentiality.
Published: 2026-05-14
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves missing authentication protection on the KVM key download endpoint. This flaw permits any user who has the URL to access and download encryption keys, potentially exposing confidential data. Because the flaw is an authentication bypass (CWE-306), the primary impact is confidentiality loss and could allow attackers to compromise data encrypted by those keys.

Affected Systems

Affected systems include AMD Athlon 3000 Series Mobile Processors, AMD Device Management Portal (ADMP), AMD Ryzen 3000, 4000, 5000, 6000, 7000, 8000, 9000, 9000HX, AI 300 and AI Max 300, Threadripper 3000/3000WX, 5000WX/7000WX/9000WX series, and listed Ryzen 7030, 7035, 7040, 7045, 8040, 9000HX, AI 300 series, and Threadripper series. The flaw affects any hardware running the advertised KVM key download service and does not tie to specific firmware revisions in the provided data.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in CISA KEV, suggesting that it is not currently widely exploited. However, the flaw can be abused by attackers who discover or guess the specific URL, meaning that any exposed KVM host could be coerced into leaking sensitive key material. Network segregation and strict authentication are therefore warranted to mitigate this risk.

Generated by OpenCVE AI on May 14, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update firmware and BIOS to the latest AMD revision that includes the KVM key access fix.
  • Apply the latest software update for AMD Device Management Portal to secure the key download endpoint.
  • Restrict access to the KVM key download URL by implementing firewall rules, network segmentation, or access controls so that only authorized administrative systems can reach it.

Generated by OpenCVE AI on May 14, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Missing authentication in the KVM key download endpoint could allow an unauthenticated attacker with knowledge of the exposed URL to retrieve sensitive keys, potentially leading to loss of confidentiality.
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: AMD

Published:

Updated: 2026-05-14T15:35:55.110Z

Reserved: 2025-10-16T20:46:13.454Z

Link: CVE-2025-62619

cve-icon Vulnrichment

Updated: 2026-05-14T15:35:50.855Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T15:16:43.147

Modified: 2026-05-14T15:53:24.703

Link: CVE-2025-62619

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T16:30:24Z

Weaknesses