CVE-2025-63384 identifies a critical vulnerability in the RISC-V Rocket-Chip processor, specifically versions 1.6 and earlier. The flaw lies in the implementation of the SRET (Supervisor-mode Exception Return) instruction, which is designed to transition the processor's privilege level from Machine-mode (M-mode) to Supervisor-mode (S-mode) based on the sstatus.SPP bit. Instead of correctly lowering the privilege level, the processor erroneously remains in M-mode, the highest privilege level. This incorrect privilege retention undermines the fundamental security model of the RISC-V architecture by allowing code that should operate with supervisor privileges to retain machine-level privileges, which have unrestricted access to system resources and control registers. This can lead to unauthorized execution of privileged instructions, bypassing security controls, and potentially compromising the entire system. The vulnerability affects the core privilege management mechanism, which is critical for enforcing isolation between different execution contexts. No CVSS score has been assigned yet, and no patches or known exploits are currently available. The vulnerability is significant because it can be exploited without authentication or user interaction, and it impacts all systems using the affected Rocket-Chip versions. The open-source nature of the Rocket-Chip means that many custom SoCs and embedded devices could be impacted if they incorporate the vulnerable core. This vulnerability highlights the importance of rigorous validation of privilege transitions in processor design and the risks associated with hardware-level bugs in emerging architectures like RISC-V.

For European organizations, the impact of CVE-2025-63384 could be severe, especially for those relying on RISC-V based embedded systems, IoT devices, or custom SoCs in critical infrastructure, industrial control systems, telecommunications, and automotive sectors. The vulnerability allows unauthorized privilege escalation to the highest processor mode, potentially enabling attackers to bypass security mechanisms, manipulate system firmware, access sensitive data, or disrupt system availability. This could lead to data breaches, operational disruptions, or compromise of safety-critical systems. Given the increasing adoption of RISC-V in Europe’s semiconductor and technology sectors, including research institutions and startups, the vulnerability poses a strategic risk. Additionally, the flaw could undermine trust in RISC-V hardware platforms, delaying adoption and increasing costs due to required mitigations. The absence of patches or mitigations at present increases exposure. Organizations with supply chains involving RISC-V hardware should assess their exposure and prepare for incident response and remediation once fixes are available.

Immediate mitigation options are limited due to the hardware-level nature of the vulnerability and lack of available patches. Organizations should: 1) Inventory all systems and devices using RISC-V Rocket-Chip v1.6 or earlier to identify potentially affected assets. 2) Engage with hardware vendors and suppliers to obtain timelines for patches or updated silicon revisions that correct the SRET privilege transition logic. 3) Where possible, apply microcode updates or firmware patches that may provide workarounds or restrict execution of vulnerable instructions. 4) Implement strict access controls and monitoring on systems using affected hardware to detect anomalous privilege escalations or unauthorized access attempts. 5) Isolate critical RISC-V based systems from untrusted networks until mitigations are in place. 6) For new deployments, prefer RISC-V cores with confirmed fixes or alternative architectures until the vulnerability is resolved. 7) Collaborate with industry groups and security researchers tracking RISC-V vulnerabilities to stay informed of developments. 8) Conduct thorough security testing and code audits on software running at supervisor or machine privilege levels to detect exploitation attempts. These steps go beyond generic advice by focusing on hardware inventory, vendor engagement, and operational controls tailored to this specific hardware privilege escalation issue.