Security researcher discovers Remote Code Execution vulnerability in AMD's AutoUpdate software that allows attackers to execute arbitrary code through man-in-the-middle attacks, but AMD refuses to address the issue.
A security researcher has uncovered a critical Remote Code Execution (RCE) vulnerability in AMD's AutoUpdate software that could allow attackers to execute arbitrary code on affected systems, but AMD has declined to fix the issue, classifying it as "out of scope."
The Discovery
The vulnerability was discovered after the researcher grew frustrated with an annoying console window that periodically popped up on their new gaming PC. Tracking down the source, they identified AMD's AutoUpdate software as the culprit and decided to decompile it to understand its functionality.
What they found was alarming: while AMD uses HTTPS for their update server URL, the actual executable downloads are served over HTTP. This creates a perfect scenario for man-in-the-middle (MITM) attacks where a malicious actor on the same network or a nation-state actor with ISP access could intercept and modify the download response.
The Technical Details
The AutoUpdate software performs no certificate validation or signature verification on downloaded executables. Once the malicious file is downloaded, the software immediately executes it with full system privileges. This means an attacker could potentially install malware, steal data, or gain complete control over the affected system.
The vulnerability stems from AMD's use of HTTP for executable downloads combined with the complete absence of security checks. The researcher noted that AMD even uses a "Development" URL in their production software, though this particular issue is less concerning than the lack of transport security.
AMD's Response
After reporting the vulnerability on February 5, 2026, the researcher received a response within hours stating that AMD considers this issue "out of scope" and will not be fixing it. The company's rapid dismissal of what appears to be a serious security flaw has raised eyebrows in the security community.
The timeline of events:
- January 27, 2026: Vulnerability discovered
- February 5, 2026: Vulnerability reported to AMD
- February 5, 2026: Report closed as "wont fix/out of scope"
- February 6, 2026: Blog published detailing the findings
Implications for Users
This decision leaves millions of AMD users potentially vulnerable to attacks, particularly in environments where network traffic can be intercepted such as public Wi-Fi, corporate networks, or in regions where ISP-level surveillance is common.
The vulnerability affects anyone using AMD's AutoUpdate software, which is typically installed on systems with AMD hardware and software components. Given AMD's widespread presence in gaming PCs, workstations, and data centers, the potential impact is significant.
Industry Context
This incident highlights a broader issue in the tech industry where companies sometimes dismiss security vulnerabilities that don't fit neatly into established categories. The researcher's previous work uncovered 1.4 billion exposed user records through insecure Firebase instances in top Android apps, suggesting a pattern of finding serious security issues that companies may be reluctant to address.
For users concerned about this vulnerability, the most immediate mitigation is to disable or uninstall AMD's AutoUpdate software until AMD changes its position. However, this may prevent legitimate driver and firmware updates from being installed automatically.
The case raises important questions about vendor responsibility for security and the processes companies use to evaluate and respond to reported vulnerabilities. As hardware and software become increasingly interconnected, the security implications of seemingly minor components like update utilities can have far-reaching consequences.
Comments
Please log in or register to join the discussion