Description
The use of insecure HTTP transport within AMD optional tools could allow an attacker to conduct a man-in-the-middle attack, potentially leading to arbitrary code execution.
Published: 2026-06-12
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AMD’s optional tools – Management Console, Ryzen Master and µProf – use unsecured HTTP transport internally. An attacker who can intercept this traffic may perform a man‑in‑the‑middle attack, redirecting or tampering with the data stream and potentially injecting malicious commands that lead to arbitrary code execution on the infected system. The vulnerability directly stems from improper handling of insecure transport, as identified by CWE‑1428, and carries the potential to compromise confidentiality, integrity, and availability by allowing malicious code to execute with local privileges.

Affected Systems

The affected products are AMD Management Console, AMD Ryzen Master, and AMD µProf. No specific version ranges are provided; any installation of these optional tools prior to the release of the vendor’s security update may be vulnerable.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, although no EPSS score is available to gauge current exploitation likelihood. The vulnerability is not listed in CISA KEV, suggesting it is not widely exploited yet. The exploit requires a network attacker capable of performing a MITM attack between the AMD tool and its backend. If successful, the attacker gains the ability to execute arbitrary code on the client machine. The risk remains significant until the vendor’s patch is applied.

Generated by OpenCVE AI on June 12, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security patch or update released in the AMD security bulletin for Management Console, Ryzen Master, and µProf
  • Configure the tools to use HTTPS instead of HTTP if the option is available, disabling insecure transport
  • Limit network access to the AMD tools to trusted internal users or isolate them in a secure network segment to reduce exposure to MITM attacks

Generated by OpenCVE AI on June 12, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Insecure HTTP Transport in AMD Optional Tools Enables MITM and Arbitrary Code Execution

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description The use of insecure HTTP transport within AMD optional tools could allow an attacker to conduct a man-in-the-middle attack, potentially leading to arbitrary code execution.
Weaknesses CWE-1428
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: AMD

Published:

Updated: 2026-06-12T15:57:12.696Z

Reserved: 2026-04-14T17:04:42.500Z

Link: CVE-2026-40677

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:27.400

Modified: 2026-06-12T16:22:46.947

Link: CVE-2026-40677

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:30:14Z

Weaknesses
  • CWE-1428

    Reliance on HTTP instead of HTTPS