Medium

RMPocalypse in AMD SEV-SNP RMP Initialization

IdentifiersCVE-2025-0033CWE-362

CVE-2025-0033, also referred to as RMPocalypse, is a race condition in AMD SEV-SNP affecting AMD EPYC and EPYC Embedded processors. During initialization of the Reverse Map Table (RMP) by the AMD Secure Processor (ASP), the memory backing the RMP is not fully protected before the table is locked. A malicious or compromised hypervisor with administrative control can win this initialization race and write to RMP entries before protections take effect. Because the RMP is the SEV-SNP mechanism that tracks page ownership and mappings to prevent hypervisor tampering with guest memory, corruption of RMP entries can undermine SEV-SNP guest memory integrity. Reported demonstrations include enabling debug on production confidential VMs, faking attestation, VMSA state replay, and code injection. Microsoft states the issue impacts memory integrity and does not directly expose plaintext guest data or secrets.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation breaks core SEV-SNP integrity guarantees for confidential VMs. An attacker controlling the hypervisor can corrupt RMP state and thereby tamper with guest memory protections, enabling actions such as unauthorized debug enablement on production-mode confidential VMs, falsified attestation state, VMSA state replay, and code injection into protected guests. The primary impact is loss of guest memory integrity and trust in confidential-computing assurances; available reporting does not indicate direct plaintext disclosure as an inherent consequence of this flaw alone.

Mitigation

If you can’t patch tonight, do this now.

Where a full fix is not yet available, reduce exposure by strictly limiting and monitoring hypervisor and host administrative access, because exploitation requires privileged control of the hypervisor during SNP initialization. In managed cloud environments, rely on provider guardrails such as isolation, integrity verification, audited management pathways, and continuous monitoring where available. There is no strong guest-side mitigation if the host/hypervisor is malicious; the practical mitigation is to prevent host compromise, restrict privileged operator access, and use updated platforms once firmware fixes are released.

Remediation

Patch, then assume compromise.

Apply vendor-provided firmware and platform updates that address CVE-2025-0033. AMD has stated that patches were provided to OEMs for BIOS updates for affected EPYC and EPYC Embedded platforms. For cloud deployments, follow provider guidance; Microsoft stated updates for Azure Confidential Computing AMD-based clusters were under development/in progress and customers may need provider-coordinated maintenance or reboots once fixes are deployed. Remediation therefore consists of installing the relevant BIOS/firmware updates from the hardware or cloud provider as they become available.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app

techrepublic com securityNews

Oct 17, 2025

Microsoft’s Patch Tuesday: 172 Flaws Fixed

Hardware/virtualization security issue in AMD EPYC SEV-SNP where a race during RMP initialization could let a malicious/compromised hypervisor alter RMP entries before lock, impacting memory integrity (not plaintext exposure).

bank info securityNews

Oct 16, 2025

Breach Roundup: Chinese Hackers Exploited ArcGIS

A publicly disclosed vulnerability involving AMD SEV-SNP RMP corruption (as described in the article).

hackreadNews

Oct 15, 2025

Microsoft Patch Tuesday Oct 2025 Fixs 175 Vulnerabilities including 3 Zero-Days

A race condition affecting Azure Confidential Computing integrity on AMD EPYC SEV-SNP processors.

Oct 14, 2025

Microsoft frightful Patch Tuesday: 175+ CVEs, 3 under attack • The Register

Race condition during SEV-SNP Reverse Map Table initialization that could allow a malicious/compromised hypervisor to modify RMP entries before lock, corrupting guest memory; patch not yet available per the content.

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-0033

NVD

nvd.nist.gov/vuln/detail/CVE-2025-0033

MITRE CWE · CWE-362

cwe.mitre.org

amd.com

amd.com/en/resources/product-security/bulletin/AMD-SB-3020.html