AMD Draws Criticism After Denying Bounty for Auto-Updater MITM RCE Flaw
AMD fixed a critical remote code execution weakness in its auto-updater software after researcher Paul reported that downloads were being fetched over insecure HTTP, creating a man-in-the-middle path to deliver malicious code. The company took 124 days to ship a fix because multiple tools required coordinated updates, and the researcher later confirmed the software now retrieves drivers more securely. Reporting also noted lingering concerns about implementation details, including continued reliance on CRC32 for file validation, and claims from a Reddit user that the vulnerable updater path may not have been actively used, potentially requiring users to download a fresh version of AMD’s software to receive the remediation.
The dispute escalated after AMD allegedly refused to pay an expected $10,000 bug bounty, arguing that man-in-the-middle attacks were outside the scope of its program despite earlier indications that it would issue a CVE, credit the researcher, and address the flaw. Security community criticism intensified further after AMD was reported to have changed its disclosure and bounty rules to require non-disclosure even for findings deemed out of scope, a move critics said could discourage transparency and weaken incentives for independent vulnerability research.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
AMD allegedly changes disclosure rules, prompting backlash
The dispute escalated when AMD was reported to have changed its bug bounty and disclosure rules to require non-disclosure even for out-of-scope bugs. Security community critics said the changes discourage transparency and undervalue researchers.
Researcher verifies fix but flags CRC32 validation weakness
After the update, Paul verified that the software now downloads drivers securely, but noted that it still uses CRC32 for file validation, which is not cryptographically secure.
AMD ships coordinated fix after 124-day remediation period
AMD took 124 days to address the vulnerability, saying multiple affected tools required coordinated releases and reengineering of the download code. The updated software changed driver downloads to use a secure method.
AMD denies bug bounty for reported updater vulnerability
AMD declined to pay the expected $10,000 bug bounty, saying its program policy did not cover man-in-the-middle attacks even though the reported issue could lead to remote code execution.
AMD asks researcher to remove public blog post temporarily
After the disclosure, AMD asked the researcher to temporarily take down his public blog post about the vulnerability while the company worked on remediation.
Researcher reports AMD auto-updater MITM RCE issue to AMD
A researcher identified as Paul reported a potential remote code execution vulnerability in AMD's auto-updater software caused by insecure HTTP downloads that enabled a man-in-the-middle attack path. AMD told him it would issue a CVE, fix the issue, and credit him, according to the report.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
AMD faces backlash over alleged bug bounty denial and changed disclosure rules | brief | SC Media
scworld.com
Open sourceAMD denies researcher a $10,000 bug bounty after fixing critical auto-updater vulnerability - security flaw took 124 days to patch | Tom's Hardware
tomshardware.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AMD Firmware Gaps Leave Devices Exposed to Spectre-Class Attacks
Binarly Research reported that many AMD-based devices remain vulnerable to speculative execution attacks including **Spectre v1**, **Spectre v2**, and **Retbleed** because firmware and hardware mitigations are not being developed, validated, and delivered consistently across the ecosystem. The findings point to a broad firmware attack surface in **UEFI** and **System Management Mode (SMM)**, where weaknesses below the operating system can leave systems exposed even after years of industry attention on side-channel defenses. The research says asynchronous patching across the hardware and firmware supply chain, combined with limited advisory transparency, has left protections uneven throughout device lifecycles. Binarly warned that these foundational hardware security issues persist in modern AMD environments despite broader emphasis on confidential computing, creating conditions in which attackers could still exploit older speculative execution flaws against current systems.
Jun 14, 2026
IntelBroker Claims AMD Network Breach and Sale of Stolen Internal Data
AMD said it is investigating claims that its internal network was breached after the threat actor **IntelBroker** advertised a large cache of alleged company data for sale on a cybercrime forum. Reported samples indicate the material may include **future product details, source code, firmware, internal communications, financial records, customer databases, and employee information**, raising concerns over intellectual property exposure, corporate espionage, and privacy risks. AMD said it is working with **law enforcement** and a third-party hosting partner to determine whether the data is authentic and to assess the scope and impact of the incident. The AMD claims fit a broader pattern of high-profile extortion and data-theft allegations tied to forum-based actors, including earlier reports in which attackers claimed to possess sensitive files from major organizations such as **GE** and even purported **DARPA**-related material, though some of those assertions remained unconfirmed. In AMD's case, public reporting indicates the stolen dataset was promoted on the dark web and may contain strategically valuable engineering and business information, making the incident significant even before full verification is complete.
May 25, 2026
AMD Zen 5 RDSEED Vulnerability Weakens Cryptographic Security
AMD has confirmed a high-severity vulnerability in the RDSEED instruction of its Zen 5 architecture CPUs, including Epyc 9005, Ryzen 9000, and Threadripper 9000 series. The flaw, tracked as CVE-2025-62626, allows the RDSEED function to return a value of 0 as a valid random number in approximately 10% of cases, potentially undermining the integrity of cryptographic keys and other security operations that rely on strong randomness. The issue was discovered by a Meta engineer and publicly disclosed via a Linux kernel mailing list, raising concerns about the predictability of cryptographic operations on affected systems. AMD has responded by releasing microcode patches for some affected processors, such as the Epyc 9005 series, and is working on additional fixes for other impacted models. As a temporary mitigation, users are advised to use the unaffected 64-bit RDSEED variant where possible or disable the RDSEED instruction via boot parameters. The vulnerability requires local privileges to exploit, meaning an attacker would already need significant access to the system. Linux kernel updates have also attempted to address the issue, though some users have reported compatibility problems with certain distributions following these changes.
Mar 21, 2026