wikiCreating Safety instructions for AMD-SB-7028 AMD SMM Callout Vulnerability
On August 12th 2025, AMD published the Security Bulletin AMD-SB-4012 [1]. Safety vulnerabilities were discovered in SMM (System Management Mode), AMD Security Processor (ASP) and in other platform components.
Affected systems
AMD Threadripper systems:
- systems with AMD Ryzen Threadripper 3000 / PRO 3000WX processors
- systems with AMD Ryzen Threadripper PRO 5000WX processors
- systems with AMD Ryzen Threadripper 7000 / PRO 7000WX processors
Problem solution
In the following, there is a tabular list of the corresponding CVEs and AGESA & firmware updates for the correction of each threadripper generation if available.
AMD Ryzen Threadripper 3000:
| safety vulnerabilities | risk potential: | AGESA version |
|---|---|---|
| CVE-2024-36354 | 7.2 (high) | CastlePeakPI-SP3r3 1.0.0.D (2024-11-14) |
| CVE-2023-20540 | 1.8 (low) | CastlePeakPI-SP3r3 1.0.0.C (2024-09-03) |
| CVE-2023-20572 | 5.6 (medium) | |
| CVE-2023-31330 | 1.8 (low) | |
| CVE-2024-21947 | 7.1 (high) | |
| CVE-2024-21970 | 6.7 (medium) | |
| CVE-2021-26377 | 5.6 (medium) | CastlePeakPI-SP3r3 1.0.0.7 (2022-01-28) |
AMD Ryzen Threadripper PRO 3000WX:
| safety vulnerabilities | risk potential: | AGESA version |
|---|---|---|
| CVE-2024-36354 | 7.2 (high) | CastlePeakWSPI-sWRX8 1.0.0.F (2024-11-14) |
| CVE-2023-20540 | 1.8 (low) | CastlePeakWSPI-sWRX8 1.0.0.E (2024-09-03) |
| CVE-2023-20572 | 5.6 (medium) | |
| CVE-2023-31330 | 1.8 (low) | |
| CVE-2024-21947 | 7.1 (high) | |
| CVE-2024-21970 | 6.7 (medium) | |
| CVE-2021-26377 | 5.6 (medium) | CastlePeakWSPI-sWRX8 1.0.0.9 (2022-01-20) |
AMD Ryzen Threadripper PRO 5000WX:
| safety vulnerability | risk potential: | AGESA version |
|---|---|---|
| CVE-2024-36354 | 7.2 (high) | ChagallWSPI-sWRX8 1.0.0.A (2024-11-20) |
| CVE-2023-20540 | 1.8 (low) | ChagallWSPI-sWRX8 1.0.0.9 (2024-09-18) |
| CVE-2023-20572 | 5.6 (medium) | |
| CVE-2023-31330 | 1.8 (low) | |
| CVE-2024-21970 | 6.7 (medium) | |
| CVE-2024-21947 | 7.1 (high) | ChagallWSPI-sWRX8 1.0.0.7 (2024-01-12) |
| CVE-2021-26377 | 5.6 (medium) | CastlePeakWSPI-sWRX8 1.0.0.9 (2022-01-20) |
| CVE-2021-46757 | 5.6 (medium) | |
| CVE-2024-21977 | 4.6 (medium) | ChagallWSPI-sWRX8 1.0.0.8 (2024-07-23) |
AMD Ryzen Threadripper 7000:
| safety vulnerability | risk potential: | AGESA version |
|---|---|---|
| CVE-2023-20572 | 5.6 (medium) | StormPeakPI-SP6 1.1.0.0c (2023-12-18) |
| CVE-2023-31330 | 1.8 (low) |
AMD Ryzen Threadripper PRO 7000WX:
| safety vulnerability | risk potential: | AGESA version |
|---|---|---|
| CVE-2023-20572 | 5.6 (medium) | StormPeakPI-SP6 1.0.0.1e (2023-12-18) |
| CVE-2023-31330 | 1.8 (low) |
Supermicro published a Security Bulletin about the safety vulnerabilities. A list with BIOS versions of the corresponding mainboards, with an AGESA version to close the gaps, is also available. In the following, there is an extract of this chart, which includes all motherboards offered by Thomas-Krenn:[2]
| AMD motherboard | BIOS version |
|---|---|
| M12SWA-TF | 2.4 |
| H13SAE-MF | 2.2 |
Updates for products of Thomas-Krenn
Updates for the corresponding system can be found in the download area of Thomas-Krenn. The updates in the download area have been tested by us to guarantee the stability and compatibility of our systems.
If you require the latest version for your system and it is not yet available in our download area, you can get it in the download area of Asus or Supermicro.
References
- ↑ AMD Client Vulnerabilities – August 2025 (www.amd.com/en/resources/product-security)
- ↑ AMD Security Vulnerabilities, August 2025 (www.supermicro.com)
More information
- AMD and Intel fill numerous safety vulnerabilities (www.heise.de, 13.08.2025)
 |
Author: Thomas-Krenn.AG At Thomas-Krenn.AG we pay attention to the best possible service. To do justice to this, we have created our Thomas-Krenn Wiki. Here we share our knowledge with you and inform you about basics and news from the IT world. You like our knowledge culture and want to become part of the team? Visit our job offers.
|
 |
Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.
|
