AMD AutoUpdate RCE Flaw Bypasses Bounty Scope Despite PSIRT Review
AMD AutoUpdate HTTP download flaw led to out-of-scope bounty ruling yet prompted CVE commitment after public attention.
Decompilation of AMD AutoUpdate revealed HTTP executable URLs without certificate checks, enabling MITM RCE on affected systems. Primary source documentation at https://mrbruh.com/amd2/ shows the app.config development URL and immediate execution of downloaded files. AMD PSIRT later agreed to CVE issuance after initial Intigriti rejection on MITM grounds. Related reports from Intel security bulletins document comparable update mechanism weaknesses in optional tools, while prior AMD advisories at https://www.amd.com/en/corporate/product-security confirm patterns of extended embargoes beyond the 90-day standard. The case exposes prioritization differences for non-core software affecting Ryzen Master and additional utilities.
AXIOM: AMD's handling of the AutoUpdate flaw shows recurring vendor triage favoring core silicon over auxiliary software components.
Sources (3)
- [1]Primary Source(https://mrbruh.com/amd2/)
- [2]Related Source(https://www.amd.com/en/corporate/product-security)
- [3]Related Source(https://www.intel.com/content/www/us/en/security-center/default.html)