All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

AMD AutoUpdate software contained RCE vulnerability; fix took four months after discovery

By

MrBruh

14h ago· 7 min readenInsight
Bagel score 90 of 100
90/100
Golden Brown
Bagelometer

Kettled twice. Extra chewy, extra trustworthy.

Score90TypeanalysisSentimentnegative

Summary

A frustrated gamer discovered a Remote Code Execution (RCE) vulnerability in AMD's AutoUpdate software after being annoyed by a pop-up console window on their new gaming PC. By decompiling the software, they found AMD was using a development URL in production and identified a trivial MITM RCE vulnerability. Following public backlash, AMD agreed to fix the issue in Ryzen Master, but it took them over four months to roll out the patch.

Key quotes

· 4 pulled
After being interrupted multiple times by an annoying console window that would pop up periodically on my new gaming PC, I managed to track the offending executable down to AMD's AutoUpdate software.
In my frustration, I decided to punish this software by decompiling it to figure out how it worked, and accidentally discovered a trivial Remote Code Execution (RCE) vulnerability in the process.
The first thing I found is that they store their update URL in the program's app.config. Although it's a little odd that they use their 'Develpment' URL in production, it uses HTTPS, so it's perfectly
Following backlash, AMD agreed to fix an MITM RCE I discovered in Ryzen Master. All in all, it took them over four months to roll out the fix.
Snippet from the RSS feed
Following backlash, AMD agreed to fix an MITM RCE I discovered in Ryzen Master. All in all, it took them over four months to roll out the fix.

You might also wanna read

Critical Gogs RCE bug (CVSS 9.4) remains unpatched; exploit module now public

A critical remote code execution (RCE) vulnerability rated 9.4/10 has been discovered in Gogs, a popular open-source self-hosted Git service

theregister.com·11d ago

GitHub patches critical remote code execution vulnerability in under six hours after AI-assisted discovery

GitHub patched a critical remote code execution vulnerability in under six hours last month. The flaw, discovered by Wiz Research using AI m

The Verge·1mo ago

Microsoft patches high-severity SharePoint RCE vulnerability CVE-2026-45659

Microsoft has patched a high-severity remote code execution vulnerability (CVE-2026-45659) in SharePoint that affects SharePoint Server Subs

helpnetsecurity.com·15d ago

AI security audit of FreeBSD kernel reveals 15 bugs including RCEs and a hypervisor escape

An AI audit of FreeBSD uncovered 15 kernel bugs, including 3 remote code execution vulnerabilities, 5 local privilege escalation flaws, and

blog.calif.io·14d ago

Critical RCE Vulnerability (CVE-2026-20251) Found in Splunk Products via Unsafe Deserialization

A critical security vulnerability (CVE-2026-20251) has been disclosed affecting multiple versions of Splunk Enterprise, Splunk Cloud Platfor

nvd.nist.gov·1d ago

Critical 7-Zip vulnerability (CVE-8.8) enables code execution via crafted archive files; update to version 26.01 urged

A critical 8.8-rated CVE vulnerability has been discovered in the popular open-source archive utility 7-Zip. The flaw allows remote code exe

tomshardware.com·12d ago