AMD CPU Signature Verification Flaw Allows Attackers to Load Malicious Microcode

A serious security vulnerability in AMD processors has been disclosed, allowing attackers with administrative privileges to potentially load malicious microcode patches into CPUs.

Identified as CVE-2024-36347 with a medium-severity CVSS score of 6.4, this flaw affects numerous AMD processor families across desktop, mobile, server, and embedded segments.

According to the security bulletin AMD-SB-7033 published on April 7, 2025, researchers from Google discovered and reported a weakness in AMD’s signature verification algorithm that could allow the loading of unsigned or fraudulently signed microcode.

While AMD has confirmed no instances of this vulnerability being exploited in the wild, the potential impact includes compromised system integrity and confidentiality.

Technical Details and Impact Assessment

The vulnerability stems from improper signature verification in the CPU ROM microcode patch loader, which could allow an attacker with local administrator privileges to bypass security measures and load arbitrary microcode.

The researchers demonstrated their ability to load patches not signed by AMD and even falsify signatures for custom microcode modifications.

If successfully exploited, this vulnerability could lead to:

  • Loss of integrity in x86 instruction execution
  • Compromise of data confidentiality and integrity within privileged CPU contexts
  • Potential compromise of the System Management Mode (SMM) execution environment

The attack requires local access, high privileges, and involves complex exploitation techniques, as reflected in the CVSS vector string: AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H.

Risk Factor Analysis and Mitigation Timeline

CVE IDCVSS ScoreAttack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact
CVE-2024-363476.4Local (AV:L)High (AC:H)High (PR:H)None (UI:N)Unchanged (S:U)High (C:H)High (I:H)High (A:H)

AMD has developed mitigations for this vulnerability and is releasing updated Platform Initialization (PI) firmware to Original Equipment Manufacturers (OEMs).

The updates provide enhanced signature verification and prevent unauthorized microcode loading.

Notable release dates for firmware updates include:

  • Data Center: Most EPYC server processors received updates in December 2024, with Turin updates released on March 4, 2025
  • Desktop: Ryzen 5000 and 3000 series updates were released on January 14-22, 2025, while Ryzen 9000 series updates came on March 27, 2025
  • Mobile: Updates for various Ryzen mobile processors were released between December 2024 and March 2025
  • Embedded: Updates for EPYC Embedded processors were released in December 2024, with Ryzen Embedded updates following in January and February 2025

The security bulletin notes that after updating to these firmware versions, “Microcode cannot be hot-loaded” on certain platforms, and attempts to load microcode on older BIOS versions will trigger a #GP (General Protection) fault.

Users must contact their system or motherboard manufacturers to obtain the appropriate BIOS updates.

AMD acknowledged Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo Rizzo from Google for discovering and responsibly disclosing this vulnerability.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

AnuPriya
AnuPriya
Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here