Phoenix is an advanced Rowhammer attack variant targeting DDR5 memory modules, first demonstrated by ETH Zurich researchers in 2025. Rowhammer exploits electrical interference between adjacent memory cells to induce bit flips, potentially altering critical data. DDR5 modules incorporate Target Row Refresh (TRR) as a hardware defense, which monitors aggressive row accesses and refreshes adjacent rows to prevent corruption. Phoenix bypasses TRR by exploiting timing windows: after 128 TRR-tracked accesses, a 64-access window occurs where defenses weaken, and a second window appears after 2608 refresh intervals. The attack uses dummy memory accesses to lull TRR protections, then performs precise hammering to flip bits in targeted memory cells. Researchers tested 15 DDR5 modules from SK Hynix, confirming reliable exploitation of arbitrary memory read/write across all tested modules, with partial success stealing RSA-2048 private keys and bypassing Linux sudo protections for privilege escalation. The attack requires detailed knowledge of target memory layout and software, and is constrained to AMD Zen 2 and Zen 3 CPU platforms paired with vulnerable DDR5 modules. Exploitation times range from seconds to minutes. Proposed mitigations include reducing refresh intervals (at cost of power/heat), deploying ECC memory, implementing fine granularity refresh in memory controllers, and advocating transparency in security mechanisms rather than proprietary obscurity. Phoenix demonstrates that DDR5 is not immune to Rowhammer, challenging assumptions about memory security and prompting renewed focus on hardware-level defenses.

For European organizations, Phoenix poses a tangible risk to systems using vulnerable DDR5 memory modules, particularly those paired with AMD Zen 2 or Zen 3 CPUs. The ability to induce bit flips can lead to arbitrary memory read/write, enabling attackers to steal sensitive data such as private encryption keys, escalate privileges, and potentially disrupt system stability. This threatens confidentiality, integrity, and availability of critical systems, especially in sectors like finance, government, healthcare, and critical infrastructure where data protection is paramount. The attack's reliance on specific hardware and detailed target knowledge limits its widespread exploitation but does not eliminate risk to high-value targets. Enterprises deploying SK Hynix DDR5 modules in servers or workstations may face increased exposure. The medium severity reflects the attack's complexity and constrained scenarios but underscores the need for vigilance and proactive mitigation. Failure to address these vulnerabilities could lead to data breaches, unauthorized access, and operational disruptions within European organizations.

European organizations should implement a multi-layered defense strategy tailored to Phoenix's technical specifics. First, verify hardware inventory to identify systems using SK Hynix DDR5 modules paired with AMD Zen 2 or Zen 3 CPUs and prioritize them for mitigation. Deploy ECC memory where possible to detect and correct bit flips, reducing attack success probability. Collaborate with hardware vendors to ensure firmware and microcode updates incorporate fine granularity refresh protections and improved TRR algorithms. Adjust memory refresh intervals to shorter durations to reduce vulnerability windows, balancing power and thermal considerations. Harden Linux systems by applying the latest kernel patches and security configurations to mitigate privilege escalation vectors like sudo bypass. Employ runtime integrity monitoring to detect anomalous memory behavior indicative of Rowhammer exploitation. Advocate for transparency from hardware manufacturers regarding TRR implementations to enable independent security validation. Finally, incorporate Phoenix-specific threat scenarios into incident response and penetration testing exercises to improve detection and response capabilities.