Recommended reading

AMD partners roll out new BIOS updates to patch TPM vulnerability — error with AMD CPUs addressed with AGESA 1.2.0.3e

News
By published

Impacts most, if not all, CPUs from Zen+ through Zen 5 architectures.

Ryzen 9000 CPU
(Image credit: AMD)

Board partners are now rolling out freshly baked BIOS updates based on AMD's AGESA 1.2.0.3e firmware. The updates are designed to patch a security flaw that could allow hackers to read sensitive data stored within the TPM (Trusted Platform Module), via VideoCardz. At least for some manufacturers, this BIOS update is a one-way street; you cannot roll back to an older release once you install it.

Hackers can exploit this security flaw by triggering an out-of-bounds read beyond the TPM2.0 routine. By doing so, these unauthorized users can gain access to sensitive data or disrupt the TPM's functionality as a whole. This stems from a bug (CVE-2025-2884), ranked 6.6 (Medium) on the CVSS scale, in TPM2.0's Module Library, which refers to standardized code that TPM 2.0 chips use for various functions.

While the AGESA 1.2.0.3e firmware only targets AM5-based processors, the security bug it addresses impacts a much wider range of AMD CPUs. Hence, it's best to consult the official security bulletin to determine if a mitigation is available for your processor. What makes this particular bug concerning is its accessibility, since it can be exploited using standard user-mode privileges, meaning an attacker doesn't need kernel-level access. This is a significant difference from previous vulnerabilities, including one that could execute unsigned microcode but required kernel-level access.

Impacted processors include a wide range of Ryzen processors between Athlon 3000 "Dali" / Ryzen 3000 "Matisse" and Ryzen 9000 "Granite Ridge" on desktop, and between Ryzen 3000 Mobile "Picasso", and Ryzen AI 300 "Strix Point" on mobile. Similarly, all workstation CPUs from Threadripper 3000 "Castle Peak" to Threadripper 7000 "Storm Peak" are also vulnerable to this bug. That being said, patches for most of these processors have been deployed across different timelines in the past few months. AM5-based CPUs are the most recent and are the latest to receive the update.

Image 1 of 2
MSI X870E Carbon WiFi AGESA 1.2.0.3e BIOS
(Image credit: MSI)

Several motherboard partners, including Asus and MSI, have started to roll out BIOS updates based on the new AGESA 1.2.0.3e firmware. In addition to fixing the aforementioned TPM flaw, this firmware also adds support for a new and upcoming Ryzen CPU, likely alluding to Ryzen 9000F series processors. It is best to consult your motherboard vendor's support page to see if a new BIOS is available, and update accordingly.

Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.

See more CPUs News
TOPICS
Hassam Nasir
Hassam Nasir
Contributing Writer

Hassam Nasir is a die-hard hardware enthusiast with years of experience as a tech editor and writer, focusing on detailed CPU comparisons and general hardware news. When he’s not working, you’ll find him bending tubes for his ever-evolving custom water-loop gaming rig or benchmarking the latest CPUs and GPUs just for fun.

6 Comments Comment from the forums
  • Alvar "Miles" Udell
    The question is if 500 and 400 series AM4 motherboards will receive the update as well. Techpowerup's article sort of suggests only AM5 will be updated as they mention MSI stating that fixes are rolling out to AM5 motherboards, nothing about AM4.
    Reply
  • itsrunny
    Alvar Miles Udell said:
    The question is if 500 and 400 series AM4 motherboards will receive the update as well. Techpowerup's article sort of suggests only AM5 will be updated as they mention MSI stating that fixes are rolling out to AM5 motherboards, nothing about AM4.
    well the issue is that AMD have only patched the issue in the latest AM5 firmware(AGESA 1.2.0.3e) thus far, i'd be shocked if they didn't release updated AM4 firmware in the coming days though and then it's up to the Motherboard manufacturers as to whether they in-turn release an updated BIOS which includes the updated firmware, given the severity, i'd be very surprised if all the majors didn't....
    Reply
  • JustSayn
    itsrunny said:
    well the issue is that AMD have only patched the issue in the latest AM5 firmware(AGESA 1.2.0.3e) thus far, i'd be shocked if they didn't release updated AM4 firmware in the coming days though and then it's up to the Motherboard manufacturers as to whether they in-turn release an updated BIOS which includes the updated firmware, given the severity, i'd be very surprised if all the majors didn't....
    The article implies that patches for previous AM4 processor have been deployed over the last few months.

    "Impacted processors include a wide range of Ryzen processors between Athlon 3000 "Dali" / Ryzen 3000 "Matisse" and Ryzen 9000 "Granite Ridge" on desktop, and between Ryzen 3000 Mobile "Picasso", and Ryzen AI 300 "Strix Point" on mobile. Similarly, all workstation CPUs from Threadripper 3000 "Castle Peak" to Threadripper 7000 "Storm Peak" are also vulnerable to this bug. That being said, patches for most of these processors have been deployed across different timelines in the past few months"
    Reply
  • itsrunny
    JustSayn said:
    The article implies that patches for previous AM4 processor have been deployed over the last few months.

    "Impacted processors include a wide range of Ryzen processors between Athlon 3000 "Dali" / Ryzen 3000 "Matisse" and Ryzen 9000 "Granite Ridge" on desktop, and between Ryzen 3000 Mobile "Picasso", and Ryzen AI 300 "Strix Point" on mobile. Similarly, all workstation CPUs from Threadripper 3000 "Castle Peak" to Threadripper 7000 "Storm Peak" are also vulnerable to this bug. That being said, patches for most of these processors have been deployed across different timelines in the past few months"
    yeah, it's a tough read ain't it! according to the AMD security bulletin it was fixed last year for 7000 Series processors also, the difference being it would appear is that AGESA 1.2.0.3e is for ASP fTPM + Pluton TPM, whereas ComboAM5PI_1.2.0.2 and ComboAM5PI_1.1.0.3b, which were released last year, only resolved the issue for ASP fTPM? Don't know, all very confusing, so yeah, like i said, it's a tough read!
    Reply
  • das_stig
    TPM2 is a must for security, seems to have more holes and updates than TPM1.2 had?
    Reply
  • TechNomad
    TPM: just another attack vector. Best case, all that's been done is to increase platform and OS bloat. Instead of two steps forward and one back, it's more like two steps forward and two back.
    Reply