Introduction
Privilege escalation in the core firmware of Intel Xeon processors can undermine isolation guarantees for critical workloads in data centers and cloud environments. CVE-2025-24305 exposes a flaw in the Alias Checking Trusted Module (ACTM) firmware, directly impacting trusted computing features such as Intel SGX and TDX.
About Intel and Xeon: Intel is the dominant provider of server and data center processors worldwide. Its Xeon line powers a significant share of enterprise, cloud, and high-performance computing infrastructure. Intel's security technologies, including SGX and TDX, are foundational for confidential computing and trusted execution environments across the industry.
Technical Information
CVE-2025-24305 is caused by insufficient control flow management (CWE-691) in the ACTM firmware for some Intel Xeon processors. The ACTM is a firmware module responsible for memory alias detection and isolation, supporting the integrity of Intel's trusted computing base (TCB) for SGX and TDX.
The vulnerability allows a privileged local user to manipulate the control flow of the ACTM firmware. This can result in the bypassing of security boundaries enforced by the trusted module, enabling escalation of privilege. The flaw is rooted in logic or validation errors in the firmware's control flow implementation. Exploitation requires local administrative access. No public exploit code or detailed attack vectors have been disclosed.
Affected Systems and Versions
- Intel Xeon processors with ACTM firmware are affected
- Specific affected models and firmware versions are listed in Intel's advisory INTEL-SA-01313
- Vulnerability requires local privileged access
- Systems using Intel SGX or TDX features are particularly relevant
Vendor Security History
Intel has a history of firmware vulnerabilities affecting control flow and trusted execution environments. Notable prior advisories include INTEL-SA-01111 and INTEL-SA-01073, which addressed similar privilege escalation issues in Xeon firmware. Intel's coordinated disclosure and patching process is standard, but supply chain complexity can delay updates for end users.