AMI Aptio BIOS: Rights expansion enables firmware manipulation
IT researchers have discovered a security vulnerability in the AMI Aptio and AptioV BIOS that enables the extension of rights in the system.
(Image: Sashkin/Shutterstock.com)
There is a security gap in the Aptios and AptiosV BIOS versions of AMI. Attackers can abuse a vulnerability in the SMM module to write data to addresses they control. This apparently also makes it possible to change the contents of the flash memory. The vulnerability is actually quite old but was recently “rediscovered,” as systems in the wild are still susceptible to it.
The renowned CERT of Carnegie Mellon University is currently issuing a warning about this. This refers to a publication by IT researchers at Binarly from the beginning of July this year. Specifically, attackers can abuse the vulnerability to increase their rights from ring 0 to ring -2 in system management mode (SMM), completely isolated from the operating system. This also allows them to bypass SMM-based protection mechanisms such as SPI flash write protection and thus implant a backdoor in the firmware, for example.
Firmware manipulated in this way also survives operating system reinstallations. The vulnerability also allows malicious actors to bypass security mechanisms provided by UEFI firmware, such as Secure Boot and some variants of memory protection for hypervisors, writes Binarly.
New old vulnerability
AMI published its security announcement at the end of May. “The issue was identified, resolved, and pointed out under confidentiality in 2018,” AMI writes there. Binarly has rediscovered the vulnerability, as the problem has not been addressed in several devices on the market. However, there is disagreement about the severity. While AMI assigns the vulnerability CVE-2025-33043 / EUVD-2025-16381 a CVSS score of 5.8 and thus a “medium” risk, the Binarly researchers arrive at a CVSS score of 8.2, which corresponds to a “high” risk.
Videos by heise
Binarly has detected the vulnerability in BIOS versions from around 2024. The affected systems include Adlinktech cExpress-KL-LT2, Adlinktech LED-TKN, Dell Latitude 13 3380, HP Z VR Backpack G1, HP 200 G3, some Lenovo ThinkCentre systems, the TS150, and the Samsung Notebook Odyssey. According to Binarly, the manufacturers are also providing microcode updates for these systems.
In mid-July, the CERT had already reported similar vulnerabilities with a comparable history, which affected Gigabyte mainboards in particular.
(dmk)
