Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Unsafe OpenSSL initialization within some AMD optional tools may allow a local user-privileged attacker to inject a malicious DLL, potentially resulting in arbitrary code execution.
AnalysisAI
Arbitrary code execution in AMD optional tools occurs through DLL injection during unsafe OpenSSL initialization, allowing local authenticated attackers with low-privilege user access and user interaction to execute malicious code with high impact to confidentiality, integrity, and availability. The vulnerability stems from insecure library loading (CWE-427) where the affected AMD utilities fail to validate DLL search paths during OpenSSL library initialization. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once local access is obtained.
Technical ContextAI
This is a classic DLL search order hijacking vulnerability (CWE-427: Uncontrolled Search Path Element) affecting AMD's optional system utilities during OpenSSL cryptographic library initialization. When these tools load OpenSSL DLLs at runtime, they fail to specify absolute paths or validate the DLL search order, allowing attackers to place malicious DLLs in directories that Windows searches before legitimate library locations (such as application directory, current working directory, or PATH directories). The CVSS 4.0 vector indicates local attack vector (AV:L) with low complexity (AC:L), requiring low-privileged user access (PR:L) and user interaction (UI:P) - typically achieved by tricking a user into running the affected AMD tool from an attacker-controlled directory. The vulnerability scope is unchanged (SC:N/SI:N/SA:N), meaning exploitation occurs within the security context of the vulnerable tool itself rather than escaping to other system components.
RemediationAI
Consult AMD Security Bulletin AMD-SB-9024 at https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9024.html for patched versions of affected optional tools and apply vendor-recommended updates immediately. If the advisory specifies affected tool names, prioritize patching utilities that run with administrative privileges or are frequently used by privileged accounts. As an interim compensating control, restrict write access to directories in the Windows DLL search path for the affected AMD tools (application directory, current working directory, and system PATH locations) to prevent unauthorized DLL placement - note this requires identifying where these tools are installed and may break legitimate workflows if applied too broadly. Consider application whitelisting or AppLocker policies to prevent execution of unsigned DLLs from non-standard locations, though this adds operational overhead. If specific AMD tools are not required for business operations, uninstall them entirely to eliminate attack surface. Educate users with access to these tools not to run them from untrusted directories or network shares where attackers could plant malicious DLLs.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Same weakness CWE-427 – Uncontrolled Search Path Element
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209847
GHSA-346w-gjpw-jf9r