Description
Improper privilege management in the KVM key download component could allow an attacker to swap tokens and download sensitive keys, potentially resulting in unauthorized access to privileged resources and loss of confidentiality.
Published: 2026-05-14
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper privilege management in the KVM key download component permits an attacker to swap tokens and retrieve sensitive encryption keys, enabling unauthorized access to privileged resources and compromising confidentiality. The weakness is a classic privilege escalation flaw, identified by CWE-269, where the boundary between trusted and untrusted code is insufficiently enforced.

Affected Systems

Affected broad range of AMD processors and related management portals, including Athlon 3000 series, Ryzen 3000‑9000 series, Threadripper series, and the AMD Device Management Portal. All variants listed as affected by the vendor include both desktop and mobile processors with Radeon graphics, as well as advanced AI and Threadripper professional lines.

Risk and Exploitability

The CVSS score of 6.0 indicates a moderate severity condition, while an EPSS score is unavailable and the issue is not listed in the CISA KEV catalog. Exploitation is likely to require local or privileged access to the KVM host, as the flaw involves token manipulation within the KVM key download service. If an attacker can execute code on the host or on a trusted guest, they can swap tokens and download keys, potentially escalating privileges and extracting confidential data. The lack of publicly available exploit data suggests that exploitation complexity is moderate but feasible for knowledgeable adversaries.

Generated by OpenCVE AI on May 14, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install any AMD firmware or BIOS updates that address the KVM key download privilege issue.
  • Configure the KVM host to restrict token permissions and enforce least privilege on user sessions.
  • Disable the KVM key download capability in system settings if the functionality is not required.

Generated by OpenCVE AI on May 14, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Improper privilege management in KVM key download allowing token swapping and key theft

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Improper privilege management in the KVM key download component could allow an attacker to swap tokens and download sensitive keys, potentially resulting in unauthorized access to privileged resources and loss of confidentiality.
Weaknesses CWE-269
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: AMD

Published:

Updated: 2026-05-14T15:35:04.518Z

Reserved: 2025-10-16T20:46:13.455Z

Link: CVE-2025-62625

cve-icon Vulnrichment

Updated: 2026-05-14T15:35:00.158Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T15:16:43.957

Modified: 2026-05-14T15:53:24.703

Link: CVE-2025-62625

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T16:30:24Z

Weaknesses