CVE-2025-20034

Vulnerability

Overview

The BackupBiosUpdate UEFI firmware SmiVariable driver in Intel Server D50DNP and M50FCP boards before version R01.02.0003 contains an improper input validation vulnerability [1]. This flaw resides in the System Management Interrupt (SMI) handler responsible for processing variable update requests. The driver fails to adequately validate input parameters, which can lead to unintended memory access and information disclosure.

Exploitation

Conditions

Exploitation requires local access to the affected system and a privileged user account (e.g., administrator or root). An attacker with such privileges can craft malicious input to the SMI driver via UEFI runtime services. No network vector is involved; the attack is strictly local [1].

Impact

A successful attack could allow the privileged user to read sensitive data from firmware memory, potentially exposing encryption keys, configuration secrets, or other protected information. The CVSS v3 base score of 5.3 (Medium) reflects the requirement for high privileges and local access, balanced against the potential for confidentiality compromise [1].

Mitigation

Intel has released firmware version R01.02.0003 to address this vulnerability. Users of the affected server boards should update to this version or later. No workarounds are documented; the only mitigation is applying the firmware update [1].