VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 14, 2023· Updated Jul 28, 2025

CVE-2023-31100

CVE-2023-31100

Description

Improper access control in Phoenix SecureCore Technology 4 SMI handler allows unauthorized SPI flash modification, enabling firmware-level compromise.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper access control in Phoenix SecureCore Technology 4 SMI handler allows unauthorized SPI flash modification, enabling firmware-level compromise.

Vulnerability

An improper access control vulnerability exists in the SMI (System Management Interrupt) handler of Phoenix SecureCore™ Technology™ 4 firmware [1]. This flaw allows an attacker to bypass access controls and modify the SPI flash memory. The affected versions are: from 4.3.0.0 before 4.3.0.203, from 4.3.1.0 before 4.3.1.163, from 4.4.0.0 before 4.4.0.217, and from 4.5.0.0 before 4.5.0.138 [1].

Exploitation

An attacker with local access to the system can exploit the vulnerability by sending specially crafted SMI requests to the vulnerable handler. The precise exploitation steps are not publicly disclosed, but the attack requires the ability to trigger an SMI [1].

Impact

Successful exploitation allows the attacker to modify the SPI flash, leading to persistent firmware compromise. This can result in the installation of bootkits, arbitrary code execution at the firmware level, and a complete loss of system integrity and availability [1].

Mitigation

Phoenix Technologies has released patches for the affected versions. Users should update their firmware to SecureCore Technology 4.3.0.203, 4.3.1.163, 4.4.0.217, or 4.5.0.138, as applicable [1]. There are no known workarounds, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog.

References
  1. Phoenix Technologies SPI SMM Driver Vulnerability - Phoenix Technologies - Leading PC Innovation since 1979

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Phoenix/SecureCore Technology 4llm-fuzzy2 versions
    >=4.3.0.0 <4.3.0.203, >=4.3.1.0 <4.3.1.163, >=4.4.0.0 <4.4.0.217, >=4.5.0.0 <4.5.0.138+ 1 more
    • (no CPE)range: >=4.3.0.0 <4.3.0.203, >=4.3.1.0 <4.3.1.163, >=4.4.0.0 <4.4.0.217, >=4.5.0.0 <4.5.0.138
    • (no CPE)range: 4.3.0.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.