RMPocalypse: Single 8-Byte Write Shatters AMD’s SEV-SNP Confidential Computing

Steven

RMPocalypse: Single 8-Byte Write Shatters AMD’s SEV-SNP Confidential Computing

Summary

Researchers at ETH Zürich disclosed a flaw called RMPocalypse that allows a single 8-byte write to the Reverse Map Paging (RMP) table to compromise AMD’s SEV‑SNP confidential computing guarantees. The attack abuses a race condition during RMP initialization by the Platform Security Processor (PSP/ASP), enabling an admin‑level hypervisor to overwrite RMP entries and void integrity and confidentiality protections for confidential virtual machines (CVMs).

AMD has assigned CVE-2025-0033 (CVSS v4: 5.9) to the issue and listed multiple EPYC families as affected. Microsoft and Supermicro have acknowledged the vulnerability; fixes include BIOS updates and firmware/PSP mitigations, with some embedded EPYC fixes planned for November 2025.

Key Points

  • RMPocalypse enables corruption of the Reverse Map Paging (RMP) table via a single 8‑byte write during SEV‑SNP initialization.
  • The flaw is a race condition tied to ASP/PSP initialisation that can let a malicious hypervisor manipulate initial RMP contents.
  • With a compromised RMP, SEV‑SNP integrity and confidentiality guarantees are effectively nullified; researchers claim 100% secret exfiltration success in their tests.
  • AMD assigned CVE‑2025‑0033 (CVSS v4: 5.9) and confirmed affected EPYC 7003/8004/9004/9005 series (and several embedded families).
  • Vendors including Microsoft and Supermicro have acknowledged the issue; mitigations include BIOS and firmware updates, with some fixes due in November 2025 for embedded SKUs.
  • The vulnerability highlights incomplete platform protection for RMP and follows broader research (eg. Battering RAM) showing ongoing risks to cloud processor defences.

Why should I read this?

Short answer: because if you run AMD SEV‑SNP anywhere — cloud, colocation or on‑prem — this one glitch can wipe out the security promises you relied on. We read the heavy tech detail so you don’t have to: who’s affected, how it works at a high level, and what to patch or watch for.

Source

Source: https://thehackernews.com/2025/10/rmpocalypse-single-8-byte-write.html