CrowdStrike elevates threat classification despite CVSS scores: While AMD rates the vulnerabilities as medium and low severity based on attack complexity requirements, CrowdStrike has independently classified them as critical enterprise threats. The security firm specifically flagged CVE-2025-36350 and CVE-2025-36357 as “Critical information disclosure vulnerabilities in AMD processors,” despite both carrying CVSS scores of just 5.6.According to CrowdStrike’s threat assessment, these vulnerabilities “affecting Store Queue and L1 Data Queue respectively, allow authenticated local attackers with low privileges to access sensitive information through transient scheduler attacks without requiring user interaction.”This assessment reflects enterprise-focused risk evaluation that considers operational realities beyond technical complexity. The combination of low privilege requirements and no user interaction makes these vulnerabilities particularly concerning for environments where attackers may have already gained initial system access through malware, supply chain compromises, or insider threats.CrowdStrike’s classification methodology appears to weigh the potential for privilege escalation and security mechanism bypass more heavily than the technical prerequisites. In enterprise environments where sophisticated threat actors routinely achieve local system access, the ability to extract kernel-level information without user interaction represents a significant operational risk regardless of the initial attack complexity.
Microsoft coordinates cross-vendor response: According to CrowdStrike, “Microsoft has included these AMD vulnerabilities in the Security Update Guide because their mitigation requires Windows updates. The latest Windows builds enable protections against these vulnerabilities.”The coordinated response reflects the complexity of modern processor security, where vulnerabilities often require simultaneous updates across firmware, operating systems, and potentially hypervisor layers. Microsoft’s involvement demonstrates how processor-level security flaws increasingly require ecosystem-wide coordination rather than single-vendor solutions.Both Microsoft and AMD assess exploitation as “Less Likely,” with CrowdStrike noting “there is no evidence of public disclosure or active exploitation at this time.” The security firm compared these flaws to previous “speculative store bypass vulnerabilities” that have affected processors, suggesting established mitigation patterns can be adapted for the new attack vectors.AMD’s mitigation strategy involves what the company describes as Platform Initialization firmware versions that address the timing vulnerabilities at the processor level. However, complete protection requires corresponding operating system updates that may introduce performance considerations for enterprise deployments.
Enterprise implications beyond traditional scoring: The CrowdStrike assessment provides additional context for enterprise security teams navigating the complexity of processor-level vulnerabilities. While traditional CVSS scoring focuses on technical attack vectors, enterprise security firms like CrowdStrike often consider broader operational risks when classifying threats.The fact that these attacks require only “low privileges” and work “without requiring user interaction” makes them particularly concerning for enterprise environments where attackers may have already gained initial access through other means. CrowdStrike’s critical classification reflects the reality that sophisticated threat actors regularly achieve the local access prerequisites these vulnerabilities require.Microsoft’s assessment that “there is no known exploit code available anywhere” provides temporary reassurance, but enterprise security history demonstrates that proof-of-concept code often emerges rapidly following vulnerability disclosures.The TSA vulnerabilities also coincide with broader processor security concerns. Similar to previous side-channel attacks like Spectre and Meltdown, these flaws exploit fundamental CPU optimization features, making them particularly challenging to address without performance trade-offs.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4020192/amd-discloses-new-cpu-flaws-that-can-enable-data-leaks-via-timing-attacks.html
