AMD has recently addressed a critical security vulnerability, termed RMPocalypse, which poses a significant threat to the confidentiality and integrity guarantees provided by its Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) technology. This flaw, identified by researchers Benedict Schlüter and Shweta Shinde from ETH Zürich, exploits incomplete protections within AMD’s architecture, allowing an attacker to perform a single memory write to the Reverse Map Paging (RMP) table. The RMP table is a crucial data structure that stores security metadata for all DRAM pages in the system.
Understanding the Reverse Map Table (RMP):
The RMP is a structure residing in DRAM that maps system physical addresses (sPAs) to guest physical addresses (gPAs). According to AMD’s specification documentation, there is only one RMP for the entire system, configured using x86 model-specific registers (MSRs). This table also contains various security attributes managed by the hypervisor through hardware-mediated and firmware-mediated controls.
The Role of the Platform Security Processor (PSP):
To initialize the RMP, AMD utilizes the Platform Security Processor (PSP), which is essential for enabling SEV-SNP on the platform. The RMPocalypse attack exploits a memory management flaw during this initialization phase, allowing attackers to access sensitive information, thereby violating SEV-SNP’s confidentiality and integrity protections.
The Core of the Vulnerability:
The primary issue lies in the inadequate safeguards for the security mechanism itself. This creates a catch-22 situation where the RMP is not fully protected during the startup of a virtual machine, thereby opening the door to potential RMP corruption.
ETH Zürich researchers highlighted that this gap could enable attackers with remote access to bypass certain protective functions and manipulate the virtual machine environment, which is intended to be securely isolated. This vulnerability can be exploited to activate hidden functions (such as a debug mode), simulate security checks (attestation forgeries), restore previous states (replay attacks), and even inject foreign code.
Potential Impact of Exploitation:
Successfully exploiting RMPocalypse allows a malicious actor to arbitrarily tamper with the execution of confidential virtual machines (CVMs) and exfiltrate all secrets with a 100% success rate, as demonstrated by the researchers.
AMD’s Response and Affected Chipsets:
In response to these findings, AMD has assigned the CVE identifier CVE-2025-0033 (CVSS v4 score: 5.9) to this vulnerability. The company describes it as a race condition that can occur while the AMD Secure Processor (ASP or PSP) is initializing the RMP. This condition could allow a malicious hypervisor to manipulate the initial RMP content, potentially resulting in the loss of SEV-SNP guest memory integrity.
AMD’s advisory notes that improper access control within AMD SEV-SNP could allow an admin-privileged attacker to write to the RMP during SNP initialization, potentially resulting in a loss of SEV-SNP guest memory integrity.
The following AMD chipsets are impacted by this flaw:
– AMD EPYC™ 7003 Series Processors
– AMD EPYC™ 8004 Series Processors
– AMD EPYC™ 9004 Series Processors
– AMD EPYC™ 9005 Series Processors
– AMD EPYC™ Embedded 7003 Series Processors (Fix planned for release in November 2025)
– AMD EPYC™ Embedded 8004 Series Processors
– AMD EPYC™ Embedded 9004 Series Processors
– AMD EPYC™ Embedded 9005 Series Processors (Fix planned for release in November 2025)
Industry Acknowledgment and Mitigation Efforts:
Both Microsoft and Supermicro have acknowledged CVE-2025-0033. Microsoft has stated that it is working to remediate the issue in Azure Confidential Computing’s (ACC) AMD-based clusters. Supermicro indicated that impacted motherboard SKUs require a BIOS update to address the flaw.
Technical Details of the Attack:
The RMPocalypse attack demonstrates that AMD’s platform protection mechanisms are not complete, leaving a small window of opportunity for attackers to maliciously overwrite the RMP during initialization. Due to the design of the RMP, a single overwrite of 8 bytes within the RMP can cause the entire RMP to become compromised.
With a compromised RMP, all integrity guarantees of SEV-SNP become void. Case studies show that an attacker-controlled RMP not only voids the integrity but also results in a full breach of confidentiality.
Broader Implications:
This development comes weeks after a group of academics from KU Leuven and the University of Birmingham demonstrated a new vulnerability called Battering RAM, which bypasses the latest defenses on Intel and AMD cloud processors.
The discovery of RMPocalypse underscores the critical importance of robust security mechanisms in hardware design, especially as confidential computing becomes increasingly prevalent in cloud environments. It highlights the need for continuous vigilance and prompt patching to maintain the integrity and confidentiality of sensitive data.
