Insydeh2o
Monthly
CVE-2024-55567 is an improper input validation vulnerability in the UsbCoreDxe module of Insyde InsydeH2O firmware that allows authenticated local attackers with high privileges to bypass SMM (System Management Mode) protections and execute arbitrary code at the highest firmware privilege level. This affects multiple kernel versions (5.4, 5.5, 5.6, 5.7) across numerous OEM BIOS implementations, enabling complete system compromise including kernel-level code execution and memory access. While CVSS rates this as 7.5 (high), real-world exploitation requires local access and administrative/BIOS-level privileges, though no public POC or active KEV designation has been confirmed.
An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
CVE-2024-55567 is an improper input validation vulnerability in the UsbCoreDxe module of Insyde InsydeH2O firmware that allows authenticated local attackers with high privileges to bypass SMM (System Management Mode) protections and execute arbitrary code at the highest firmware privilege level. This affects multiple kernel versions (5.4, 5.5, 5.6, 5.7) across numerous OEM BIOS implementations, enabling complete system compromise including kernel-level code execution and memory access. While CVSS rates this as 7.5 (high), real-world exploitation requires local access and administrative/BIOS-level privileges, though no public POC or active KEV designation has been confirmed.
An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.