AMD addresses TPM security flaw with AM5 AGESA 1.2.0.3e update
AMD addresses TPM security flaw with its latest motherboard AGESA updates
AMD has issued a security bulletin, informing its customers of a vulnerability that was uncovered by the Trusted Computing Group (TCG). This security concern has been addressed with the release of new AGESA updates for AMD motherboards, which fix a potential read vulnerability in the Trusted Platform Module (TPM 2.0) implementation code.
This security flaw impacts Ryzen 3000/Threadripper 3000 and newer AMD processors. The newest fix for this issue has become available with AMD’s AGESA ComboAM5Pi 1.2.0.3e update. This specific fix is for AM5 motherboards with Ryzen 7000, 8000, and 9000 series CPUs. Alternative updates are available for AMD’s other CPUs/platforms. Note that fixes are still in the works for some of AMD’s embedded CPUs.
The Trusted Computing Group (TCG) Vulnerability Response Team (VRT) has reported a potential out of bounds (OOB) read vulnerability in the Trusted Platform Module (TPM) 2.0 reference implementation code. This vulnerability can be triggered from user-mode applications by sending malicious commands to a TPM 2.0 whose firmware is based on an affected TCG reference implementation. If successfully exploited, the vulnerability could allow an attacker to read data stored in the TPM or potentially impact TPM availability.
AMD has analyzed the TCG’s report and believes the AMD Firmware TPM (fTPM) is impacted by this vulnerability.
AMD released to the Original Equipment Manufacturers (OEM) the Platform Initialization (PI) firmware versions on the dates listed below. Please contact your OEM for the BIOS update specific to your product(s).
– AMD
(A full list of affected CPUs is available here)
This security flaw is an out-of-bounds read vulnerability that exists in TPM2.0’s Module Library. It allows for a read past the end of a TPM 2.0 routine, which can be potentially exploited to read sensitive data or impact TPM availability. This issue has been given the name CVE-2025-2884. The problem has been assigned a CVSS Score of 6.6, categorising it as a “Medium” grade vulnerability.
Note that hackers have been unable to use this exploit in the wild. It was uncovered by the Trusted Computing Group (TCG) and reported to AMD. AMD addressed this concern before hackers could exploit it. If users want to eliminate the threat posed by this security issue, all they need to do is update their motherboard to its newest BIOS version. However, it should be noted that not all AM5 motherboards have AGESA 1.2.0.3e updates yet. Soon, all AM5 motherboards should have BIOS updates that contain AMD’s fixes.
You can join the discussion on AMD’s AGESA 1.2.0.3e update for AM5 motherboards on the OC3D Forums.
