{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/209095#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nSystem Management Mode (SMM) memory corruption vulnerabilities have been identified in UEFI modules present in AMI Aptio UEFI firmware. An attacker could exploit this vulnerability to elevate privileges and execute arbitrary code in the highly privileged SMM environment. Users should apply UEFI firmware updates provided by their supply-chain-supported vendors to address these issues.\r\n\r\n### Description\r\n\r\nThe Unified Extensible Firmware Interface (UEFI) specification defines an interface between an operating system (OS) and platform firmware. The UEFI specification defines mechanisms that allow firmware code to execute in System Management Mode (SMM), a highly privileged CPU mode intended for low-level system operations and direct hardware access. SMM operations are executed within a CPU protected memory region called System Management RAM (SMRAM). This environment is often referred to as \"ring -2\" because it operates at a deeper privilege level than the OS kernel (ring 0) and hypervisor (ring -1).\r\n\r\nA vulnerability has been identified in certain firmware modules of AMI APTIOV related to improper pointer validation. Specifically, the code fails to adequately validate pointer values to prevent overlap with SMRAM. This allows memory references to be redirected into SMRAM, potentially enabling unauthorized code execution within SMM. An attacker exploiting this flaw could corrupt memory and overwrite sensitive SMRAM data, including firmware components that may later be written to PCI flash memory—establishing persistent control over the device.\r\n\r\n### Impact\r\nSuccessful exploitation of this vulnerability may allow execution of code within System Management Mode (SMM), a highly privileged environment in firmware. This could bypass certain firmware-level protections, such as those protecting the SPI flash memory, and enable persistent modifications to the firmware that operate independently of the OS.\r\n\r\n### Solution\r\nInstall the latest UEFI firmware updates provided by your PC vendor. Refer to the Vendor Information section below and [AMI's security advisory](https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025005.pdf). As these vulnerabilities may affect firmware distributed through the supply chain, multiple PC OEMs may be impacted. Continue monitoring the Vendor Information section for updates relevant to your device.\r\n\r\n### Acknowledgements\r\nThanks to Binarly REsearch team for the responsible disclosure of this vulnerability to CERT/CC. Thanks also to AMI for their collaboration and timely response. This document was written by Ben Koo.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/209095"},{"url":"https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025005.pdf","summary":"https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025005.pdf"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-33043","summary":"https://www.cve.org/CVERecord?id=CVE-2025-33043"},{"url":"https://www.binarly.io/advisories/brly-dva-2025-005","summary":"https://www.binarly.io/advisories/brly-dva-2025-005"},{"url":"https://www.sei.cmu.edu/blog/uefi-terra-firma-for-attackers/","summary":"https://www.sei.cmu.edu/blog/uefi-terra-firma-for-attackers/"},{"url":"https://www.sei.cmu.edu/blog/uefi-5-recommendations-for-securing-restoring-trust/","summary":"https://www.sei.cmu.edu/blog/uefi-5-recommendations-for-securing-restoring-trust/"},{"url":"https://static.sched.com/hosted_files/rsa2022/83/RSA%202022%20-%20Sarvepalli2.pdf","summary":"https://static.sched.com/hosted_files/rsa2022/83/RSA%202022%20-%20Sarvepalli2.pdf"},{"url":"https://eclypsium.com/blog/smm-callout-vulnerabilities-in-uefi/","summary":"https://eclypsium.com/blog/smm-callout-vulnerabilities-in-uefi/"},{"url":"https://www.sentinelone.com/labs/moving-from-common-sense-knowledge-about-uefi-to-actually-dumping-uefi-firmware/","summary":"https://www.sentinelone.com/labs/moving-from-common-sense-knowledge-about-uefi-to-actually-dumping-uefi-firmware/"},{"url":"https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/","summary":"https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/"},{"url":"https://uefi.org/sites/default/files/resources/8_Sarathy_Intel_case%20study%20smm%20alternatives.pdf","summary":"https://uefi.org/sites/default/files/resources/8_Sarathy_Intel_case%20study%20smm%20alternatives.pdf"},{"url":"https://www.binarly.io/blog/repeatable-firmware-security-failures-16-high-impact-vulnerabilities-discovered-in-hp-devices","summary":"https://www.binarly.io/blog/repeatable-firmware-security-failures-16-high-impact-vulnerabilities-discovered-in-hp-devices"},{"url":"https://www.binarly.io/blog/an-in-depth-look-at-the-23-high-impact-vulnerabilities","summary":"https://www.binarly.io/blog/an-in-depth-look-at-the-23-high-impact-vulnerabilities"}],"title":"SMM Memory Corruption Vulnerability in the AMI Aptio's SMM Module Across Multiple Devices","tracking":{"current_release_date":"2025-08-15T15:16:36+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#209095","initial_release_date":"2025-08-15 15:16:36.820615+00:00","revision_history":[{"date":"2025-08-15T15:16:36+00:00","number":"1.20250815151636.1","summary":"Released on 2025-08-15T15:16:36+00:00"}],"status":"final","version":"1.20250815151636.1"}},"vulnerabilities":[{"title":"SMM Memory Corruption Vulnerability in AMI's Aptio Across Multiple Devices\r\n\r\nAMI-based device firmware is based on the Unified Extensible Firmware Interface (UEFI) specification. As such, the firmware utilizes System Management Mode (SMM) as a highly privileged operating mode to interface directly with hardware to perform functions like power management. Since SMM is such a highly privileged environment, it is sometimes referred to as ring -2 since ring 0 is typically considered to be the highest level of access available to a system-level user of an operating system (with the hypervisor being ring -1). \r\n\r\nBinarly REsearch has discovered that in certain modules (the bit of code that performs a specific function during the boot process or runtime in the firmware) an attacker can manipulate or define the value of a pointer to direct the device to an unintended location in memory. As explained in their pseudocode example , the pointer is not validated against overlapping with System Management RAM (SMRAM), a protected area of memory isolated from the operating system. In other words, an attacker can craft a malicious pointer that points into SMRAM in order to execute arbitrary code in SMM."}],"cve":"CVE-2025-33043","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#209095"}]}],"product_tree":{"branches":[]}}