Skip to main content

AMD KVM CVE-2025-62619

| EUVDEUVD-2025-209845 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-05-14 psirt@amd.com GHSA-mxr8-33jp-5x6f
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 15:33 vuln.today
CVE Published
May 14, 2026 - 15:16 nvd
MEDIUM 6.3

DescriptionCVE.org

Missing authentication in the KVM key download endpoint could allow an unauthenticated attacker with knowledge of the exposed URL to retrieve sensitive keys, potentially leading to loss of confidentiality.

AnalysisAI

Unauthenticated attackers with knowledge of the KVM key download endpoint URL can retrieve sensitive cryptographic keys without authentication, compromising confidentiality of encrypted communications and system secrets. This affects AMD KVM implementations and requires no special user interaction, though attackers must possess prior knowledge of the specific endpoint URL. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

KVM (Kernel-based Virtual Machine) key download endpoints are components that provision cryptographic material to virtual machines and hypervisor systems. The vulnerability stems from missing authentication controls on this sensitive endpoint (CWE-306: Missing Authentication for Critical Function), allowing direct unauthenticated HTTP/HTTPS requests to retrieve key material. The CVSS vector indicates network-accessible attack surface (AV:N) with low attack complexity (AC:L), though attack timing is not negligible (AT:P suggests some temporal factors). The impact is limited to confidentiality loss (VC:L) with no integrity or availability impact, indicating key exfiltration rather than code execution or system disruption.

RemediationAI

Consult AMD Security Bulletin AMD-SB-9023 for vendor-released patches and specific version updates applicable to your KVM deployment. As an immediate compensating control, restrict network access to the KVM key download endpoint using firewall rules, network access control lists, or API gateway authentication layers to permit only trusted administrative systems and hypervisor hosts. Implement authentication and authorization checks on the endpoint itself if possible through configuration or administrative controls, ensuring all requests require valid credentials before key material is returned. Audit access logs to identify any unauthorized key download attempts. Review network segmentation to ensure KVM management endpoints are isolated from untrusted networks. If KVM services can be temporarily disabled without operational impact, consider disabling the endpoint until patches are applied. Verify with AMD whether the endpoint URL has changed or can be relocated to a non-discoverable path as a temporary mitigation.

Share

CVE-2025-62619 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy