A hot potato: All users with AMD Ryzen processors from the last few years should check and update their motherboard firmware ASAP, especially if they haven’t done so since before 2023. AMD has published a detailed chart describing four severe security issues affecting server, desktop, workstation, HEDT, mobile, and embedded Zen CPUs. Recent BIOS updates have addressed most, but not all of the flaws.
All four vulnerabilities AMD has acknowledged are marked as high-severity. The chart below lists the minimum AGESA version needed to mitigate all issues for each processor generation. A more detailed breakdown of which problems and solutions affect each CPU can be found in the company’s security bulletin.
One of the vulnerabilities, designated CVE-2023-20576, can allow attackers to initiate denial of service attacks or escalate privileges due to insufficient data authenticity verification in the BIOS.
Two others – CVE-2023-20577 and CVE-2023-20587 – can enable arbitrary code execution by granting access to the SPI flash through System Management Mode. Another, dubbed CVE-2023-20579, can cause loss of integrity and availability through improper access control in AMD’s SPI protection feature.
| CPU Generation | Minimum Patched BIOS version | Availability Date |
|---|---|---|
| 1st Gen AMD EPYC | NaplesPI 1.0.0.K | 2023-Apr-27 |
| 2nd Gen AMD EPYC | RomePI 1.0.0.H | 2023-Nov-07 |
| 3rd Gen AMD EPYC | MilanPI 1.0.0.C | 2023-Dec-18 |
| 4th Gen AMD EPYC | GenoaPI 1.0.0.8 | 2023-Jun-09 |
| Ryzen 3000 Desktop | ComboAM4 1.0.0.B | 2024-Mar |
| Ryzen 5000 Desktop | ComboAM4v2 1.2.0.B | 2023-Aug-25 |
| Ryzen 5000 Desktop w/ Radeon | ComboAM4v2PI 1.2.0.C | 2024-Feb-07 |
| Ryzen 7000 Desktop | ComboAM5 1.0.8.0 | 2023-Aug-29 |
| Ryzen 3000 Desktop w/ Radeon | ComboAM4 1.0.0.B | 2024-Mar |
| Ryzen 4000 Desktop w/ Radeon | ComboAM4v2PI 1.2.0.C | 2024-Feb-07 |
| Ryzen Threadripper 3000 | CastlePeakPI-SP3r3 1.0.0.A | 2023-Nov-21 |
| Ryzen Threadripper Pro 3000WX | ChagallWSPI-sWRX8 1.0.0.7 | 2024-Jan-11 |
| Ryzen Threadripper Pro 5000WX | ChagallWSPI-sWRX8 1.0.0.7 | 2024-Jan-11 |
| Athlon 3000 Mobile w/ Radeon | PollockPI-FT5 1.0.0.6 | 2023-Oct-26 |
| Ryzen 3000 Mobile w/ Radeon | PicassoPI-FP5 1.0.1.0 | 2023-May-31 |
| Ryzen 4000 Mobile w/ Radeon | RenoirPI-FP6 1.0.0.D | 2024-Feb |
| Ryzen 5000 Mobile w/ Radeon | CezannePI-FP6 1.0.1.0 | 2024-Jan-25 |
| Ryzen 7020 w/ Radeon | MendocinoPI-FT6 1.0.0.6 | 2024-Jan-03 |
| Ryzen 6000 w/ Radeon | RembrandtPI-FP7 1.0.0.A | 2023-Dec-28 |
| Ryzen 7035 w/ Radeon | RembrandtPI-FP7 1.0.0.A | 2023-Dec-28 |
| Ryzen 5000 w/ Radeon | CezannePI-FP6 1.0.1.0 | 2024-Jan-25 |
| Ryzen 3000 w/ Radeon | CezannePI-FP6 1.0.1.0 | 2024-Jan-25 |
| Ryzen 7040 w/ Radeon | PhoenixPI-FP8-FP7 1.1.0.0 | 2023-Oct-06 |
| Ryzen 7045 Mobile | DragonRangeFL1PI 1.0.0.3b | 2023-Aug-30 |
| Eypc Embedded 3000 | Snowyowl PI 1.1.0.B | 2023-Dec-15 |
| Epyc Embedded 7002 | EmbRomePI-SP3 1.0.0.B | 2023-Dec-15 |
| Epyc Embedded 7003 | EmbMilanPI-SP3 1.0.0.8 | 2024-Jan-15 |
| Epyc Embedded 9003 | EmbGenoaPI-SP5 1.0.0.3 | 2023-Sep-15 |
| Ryzen Embedded R1000 | EmbeddedPI-FP5 1.2.0.A | 2023-Jul-31 |
| Ryzen Embedded R2000 | EmbeddedPI-FP5 1.0.0.2 | 2023-Jul-31 |
| Ryzen Embedded 5000 | EmbAM4PI 1.0.0.4 | 2023-Sep-22 |
| Ryzen Embedded V1000 | EmbeddedPI-FP5 1.2.0.A | 2023-Jul-31 |
| Ryzen Embedded V2000 | EmbeddedPI-FP6 1.0.0.9 | 2024-Apr |
| Ryzen Embedded V3000 | EmbeddedPI-FP7r2 1.0.0.9 | 2024-Apr |
Those with Ryzen 3000 series desktop CPUs, 4000 series mobile APUs, embedded V2000 chips, or V3000 systems should exercise extra vigilance over the next few months, as the issues affecting those generations have not all been patched. An update planned for later this month will address the vulnerabilities for the 4000 series APUs, while a March 2024 BIOS update will fix the 3000 series CPUs. The affected embedded products will receive patches in April.
All other Zen processors received the relevant fixes in updates between mid-2023 and early this month. For 2nd-gen Epyc processors, the update that mitigated last year’s Zenbleed attack also protects against the new vulnerabilities.
There are several ways to check and update your BIOS version. In most modern PCs, both are possible directly from the BIOS itself. After entering the BIOS by pressing the indicated button during the system’s initial boot-up, the version number should appear on the main menu. Automatic update functions vary depending on the motherboard manufacturer.
To check your BIOS version without rebooting Windows, launch the System Information app by typing that into search or “msinfo” into the taskbar’s search. The version and date should appear in the list on the right pane. The latest BIOS version can usually be found on the support section of the motherboard manufacturer’s website. All major motherboard makers also offer automatic updates through optional management software.