CVE-2025-0036: CWE-682 Incorrect Calculation in AMD Platform Loader and Manager (PLM)
In AMD Versal Adaptive SoC devices, the incorrect configuration of the SSS during runtime (post-boot) cryptographic operations could cause data to be incorrectly written to and read from invalid locations as well as returning incorrect cryptographic data.
AI Analysis
Technical Summary
CVE-2025-0036 is a vulnerability identified in AMD's Platform Loader and Manager (PLM) component, specifically affecting AMD Versal Adaptive SoC devices. The core issue involves an incorrect calculation or configuration of the Secure Subsystem (SSS) during runtime cryptographic operations, which occur after the system boot phase. This misconfiguration can lead to data being written to and read from invalid memory locations, resulting in the return of incorrect cryptographic data. The vulnerability is categorized under several CWE identifiers, including CWE-682 (Incorrect Calculation), CWE-772 (Missing Release of Resource after Effective Lifetime), CWE-940 (Improper Initialization), CWE-941 (Improper Handling of Exceptional Conditions), and CWE-497 (Exposure of Sensitive Information to an Unauthorized Actor). These classifications suggest that the vulnerability stems from flawed logic in cryptographic processing and resource management within the PLM. The CVSS v3.1 base score is 3.2, indicating a low severity level. The vector string (AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N) reveals that exploitation requires local access with low privileges, some user interaction, and results in a confidentiality impact with scope change but no integrity or availability impact. No known exploits are currently reported in the wild, and no patches are linked yet, though affected versions are referenced in AMD-SB-8011. The vulnerability could cause cryptographic operations to produce incorrect outputs, potentially undermining the security guarantees of cryptographic functions, which may affect secure communications, data protection, or authentication mechanisms relying on the PLM's cryptographic services.
Potential Impact
For European organizations utilizing AMD Versal Adaptive SoC devices, particularly in sectors relying on embedded systems or specialized hardware platforms, this vulnerability could lead to compromised cryptographic operations. Although the direct impact on confidentiality is rated low, incorrect cryptographic data could undermine trust in secure communications or data integrity checks, potentially exposing sensitive information indirectly or causing failures in security protocols. This is particularly relevant for industries such as telecommunications, defense, automotive, and critical infrastructure where AMD SoCs might be deployed. The requirement for local access and user interaction limits the risk of remote exploitation but does not eliminate insider threats or attacks via compromised user accounts. The scope change in the CVSS vector indicates that the vulnerability could affect components beyond the initially targeted subsystem, potentially broadening the impact within affected devices. Given the cryptographic nature of the flaw, organizations relying on these devices for secure key management or encryption might face subtle data leakage or trust issues in cryptographic outputs, which could complicate incident response and forensic analysis.
Mitigation Recommendations
Organizations should first identify all AMD Versal Adaptive SoC devices in their environment and verify if they are running affected versions as referenced in AMD-SB-8011. Until patches are available, restrict local access to these devices to trusted personnel only and implement strict user interaction controls to minimize exploitation opportunities. Employ monitoring for unusual cryptographic operation failures or anomalies in device logs that could indicate exploitation attempts. Where possible, isolate affected devices within secure network segments to reduce insider threat risks. Coordinate with AMD for timely receipt and deployment of firmware or software updates addressing this vulnerability. Additionally, review cryptographic workflows relying on the PLM to detect any inconsistencies or errors that could be symptomatic of this issue. Implement multi-factor authentication and enhanced endpoint security controls on systems interfacing with these devices to reduce the risk of unauthorized local access. Finally, consider cryptographic redundancy or validation mechanisms at higher layers to detect and mitigate incorrect cryptographic outputs caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Finland
CVE-2025-0036: CWE-682 Incorrect Calculation in AMD Platform Loader and Manager (PLM)
Description
In AMD Versal Adaptive SoC devices, the incorrect configuration of the SSS during runtime (post-boot) cryptographic operations could cause data to be incorrectly written to and read from invalid locations as well as returning incorrect cryptographic data.
AI-Powered Analysis
Technical Analysis
CVE-2025-0036 is a vulnerability identified in AMD's Platform Loader and Manager (PLM) component, specifically affecting AMD Versal Adaptive SoC devices. The core issue involves an incorrect calculation or configuration of the Secure Subsystem (SSS) during runtime cryptographic operations, which occur after the system boot phase. This misconfiguration can lead to data being written to and read from invalid memory locations, resulting in the return of incorrect cryptographic data. The vulnerability is categorized under several CWE identifiers, including CWE-682 (Incorrect Calculation), CWE-772 (Missing Release of Resource after Effective Lifetime), CWE-940 (Improper Initialization), CWE-941 (Improper Handling of Exceptional Conditions), and CWE-497 (Exposure of Sensitive Information to an Unauthorized Actor). These classifications suggest that the vulnerability stems from flawed logic in cryptographic processing and resource management within the PLM. The CVSS v3.1 base score is 3.2, indicating a low severity level. The vector string (AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N) reveals that exploitation requires local access with low privileges, some user interaction, and results in a confidentiality impact with scope change but no integrity or availability impact. No known exploits are currently reported in the wild, and no patches are linked yet, though affected versions are referenced in AMD-SB-8011. The vulnerability could cause cryptographic operations to produce incorrect outputs, potentially undermining the security guarantees of cryptographic functions, which may affect secure communications, data protection, or authentication mechanisms relying on the PLM's cryptographic services.
Potential Impact
For European organizations utilizing AMD Versal Adaptive SoC devices, particularly in sectors relying on embedded systems or specialized hardware platforms, this vulnerability could lead to compromised cryptographic operations. Although the direct impact on confidentiality is rated low, incorrect cryptographic data could undermine trust in secure communications or data integrity checks, potentially exposing sensitive information indirectly or causing failures in security protocols. This is particularly relevant for industries such as telecommunications, defense, automotive, and critical infrastructure where AMD SoCs might be deployed. The requirement for local access and user interaction limits the risk of remote exploitation but does not eliminate insider threats or attacks via compromised user accounts. The scope change in the CVSS vector indicates that the vulnerability could affect components beyond the initially targeted subsystem, potentially broadening the impact within affected devices. Given the cryptographic nature of the flaw, organizations relying on these devices for secure key management or encryption might face subtle data leakage or trust issues in cryptographic outputs, which could complicate incident response and forensic analysis.
Mitigation Recommendations
Organizations should first identify all AMD Versal Adaptive SoC devices in their environment and verify if they are running affected versions as referenced in AMD-SB-8011. Until patches are available, restrict local access to these devices to trusted personnel only and implement strict user interaction controls to minimize exploitation opportunities. Employ monitoring for unusual cryptographic operation failures or anomalies in device logs that could indicate exploitation attempts. Where possible, isolate affected devices within secure network segments to reduce insider threat risks. Coordinate with AMD for timely receipt and deployment of firmware or software updates addressing this vulnerability. Additionally, review cryptographic workflows relying on the PLM to detect any inconsistencies or errors that could be symptomatic of this issue. Implement multi-factor authentication and enhanced endpoint security controls on systems interfacing with these devices to reduce the risk of unauthorized local access. Finally, consider cryptographic redundancy or validation mechanisms at higher layers to detect and mitigate incorrect cryptographic outputs caused by this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- AMD
- Date Reserved
- 2024-11-21T16:18:02.918Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68487f531b0bd07c39389fab
Added to database: 6/10/2025, 6:54:11 PM
Last enriched: 7/10/2025, 11:35:21 PM
Last updated: 8/17/2025, 8:05:10 PM
Views: 18
Related Threats
CVE-2025-57701: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57700: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
HighCVE-2025-9109: Observable Response Discrepancy in Portabilis i-Diario
MediumCVE-2025-9108: Improper Restriction of Rendered UI Layers in Portabilis i-Diario
MediumCVE-2025-9107: Cross Site Scripting in Portabilis i-Diario
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.