CVE-2025-62863
📋 TL;DR
This vulnerability allows an attacker to perform an out-of-bounds write in the PCIe driver's S-EL0 address space via a malformed SMC call to the UEFI-MM PCIe driver. It affects Ampere AmpereOne AC03, AC04, and M series devices running vulnerable firmware versions. Successful exploitation could lead to arbitrary code execution or system compromise.
💻 Affected Systems
- Ampere AmpereOne AC03
- Ampere AmpereOne AC04
- Ampere AmpereOne M
📦 What is this software?
Ampereone A128 34x Firmware by Amperecomputing
Ampereone A144 24x Firmware by Amperecomputing
Ampereone A144 26m Firmware by Amperecomputing
Ampereone A144 27x Firmware by Amperecomputing
Ampereone A144 33m Firmware by Amperecomputing
Ampereone A160 28m Firmware by Amperecomputing
Ampereone A160 28x Firmware by Amperecomputing
Ampereone A192 26m Firmware by Amperecomputing
Ampereone A192 26x Firmware by Amperecomputing
Ampereone A192 26x Firmware by Amperecomputing
Ampereone A192 32m Firmware by Amperecomputing
Ampereone A192 32x Firmware by Amperecomputing
Ampereone A96 36m Firmware by Amperecomputing
Ampereone A96 36x Firmware by Amperecomputing
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with arbitrary code execution at S-EL0 privilege level, potentially leading to persistent firmware-level backdoors, data exfiltration, or complete system control.
Likely Case
Local privilege escalation allowing an attacker to execute arbitrary code with elevated privileges, potentially compromising the entire system from a lower-privileged initial foothold.
If Mitigated
Limited impact if proper access controls restrict SMC call execution to trusted users only, though the vulnerability remains present in firmware.
🎯 Exploit Status
Exploitation requires ability to make SMC calls, typically requiring local access or compromised system component. No public exploit code known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: AC03: 3.5.9.3, AC04: 4.4.5.2, M series: 5.4.5.1
Vendor Advisory: https://amperecomputing.com/products/security-bulletins/amp-sb-0007
Restart Required: Yes
Instructions:
1. Download firmware update from Ampere support portal. 2. Follow vendor's firmware update procedure for your specific device model. 3. Reboot system to apply firmware update. 4. Verify firmware version after reboot.
🔧 Temporary Workarounds
Restrict SMC call execution
linuxImplement access controls to restrict which users/processes can execute SMC calls
# Configure SELinux/AppArmor policies to restrict SMC access
# Implement mandatory access controls for privileged operations
🧯 If You Can't Patch
- Implement strict access controls to limit which users can execute privileged operations
- Monitor for unusual SMC call patterns and implement intrusion detection for firmware-level attacks
🔍 How to Verify
Check if Vulnerable:
Check firmware version using vendor-specific tools or UEFI/BIOS interfaceCheck Version:
# Use vendor-specific tools or check UEFI/BIOS settings
# Example: dmidecode -t bios | grep VersionVerify Fix Applied:
Verify firmware version matches or exceeds patched versions: AC03 >= 3.5.9.3, AC04 >= 4.4.5.2, M series >= 5.4.5.1📡 Detection & Monitoring
Log Indicators:
- Unusual SMC call patterns
- Failed firmware access attempts
- Privilege escalation attempts
Network Indicators:
- Not applicable - local vulnerability
SIEM Query:
source="kernel" AND ("SMC" OR "secure monitor call") AND severity>=high