Ethical Hacking News
PCI 5.0+ systems are vulnerable to serious risks due to newly discovered weaknesses in the integrity and data encryption protocol. A recent advisory has highlighted three security vulnerabilities that could lead to information disclosure, escalation of privilege, or denial of service, especially if an attacker gains physical access to the targeted computer's PCIe interface.
The PCIe Integrity and Data Encryption (IDE) protocol contains three critical security vulnerabilities. The vulnerabilities are CVE-2025-9612, CVE-2025-9613, and CVE-2025-9614. These vulnerabilities could expose systems implementing the IDE protocol to serious risks. Successful exploitation of these vulnerabilities requires physical or low-level access to the targeted computer's PCIe IDE interface. Avoiding these vulnerabilities can be achieved by applying firmware updates provided by component suppliers.
Cybersecurity experts have long warned about the importance of robust encryption protocols to protect sensitive data transmitted over high-speed connections. One such protocol, the Peripheral Component Interconnect Express (PCIe) Integrity and Data Encryption (IDE) protocol, has been found to contain three critical security vulnerabilities that could potentially expose systems implementing it to serious risks.
According to a recent advisory released by the CERT Coordination Center (CERT/CC), these vulnerabilities, known as CVE-2025-9612, CVE-2025-9613, and CVE-2025-9614, have been identified in the PCIe Base Specification Revision 5.0 and onwards of the protocol mechanism introduced by the IDE Engineering Change Notice (ECN). This finding has significant implications for system administrators who rely on these protocols to secure data transfers.
The three vulnerabilities are as follows:
Firstly, CVE-2025-9612, known as Forbidden IDE Reordering, is a missing integrity check on a receiving port that may allow re-ordering of PCIe traffic. This could lead the receiver to process stale data, compromising its confidentiality and integrity.
Secondly, CVE-2025-9613, Completion Timeout Redirection, involves an incomplete flushing of a completion timeout that may allow a receiver to accept incorrect data when an attacker injects a packet with a matching tag.
Thirdly, CVE-2025-9614, Delayed Posted Redirection, is related to the completion or re-keying of an IDE stream. This could result in the receiver consuming stale, incorrect data packets, thereby compromising its integrity and confidentiality.
The PCI Special Interest Group (PCI-SIG) has emphasized that successful exploitation of these vulnerabilities could undermine the security objectives of the IDE protocol. However, it's worth noting that these attacks hinge on obtaining physical or low-level access to the targeted computer's PCIe IDE interface, which makes them relatively low-severity bugs with a CVSS v3.1 score of 3.0/CVSS v4 score of 1.8.
In light of this vulnerability, Intel and AMD have published their own alerts stating that the issues impact specific products from their lines of hardware. These include:
• Intel Xeon 6 Processors with P-Cores
• Intel Xeon 6700P-B/6500P-B series SoC with P-Cores.
• AMD EPYC 9005 Series Processors
• AMD EPYC Embedded 9005 Series Processors
To mitigate the risks associated with these vulnerabilities, system administrators are advised to apply firmware updates provided by their component suppliers, especially in environments that rely on IDE for data protection.
In conclusion, this recent discovery highlights the importance of regularly monitoring and updating encryption protocols like PCIe IDE to prevent security breaches. As technology continues to advance at an unprecedented rate, it's essential for users to remain vigilant about potential vulnerabilities in these protocols.
Related Information:
https://www.ethicalhackingnews.com/articles/Exposing-the-Security-Weaknesses-of-PCIe-50-A-Growing-Concern-for-System-Administrators-ehn.shtml
https://thehackernews.com/2025/12/three-pcie-encryption-weaknesses-expose.html
https://pcisig.com/blog/ide-and-tdisp-overview-pcie®-technology-security-features
https://nvd.nist.gov/vuln/detail/CVE-2025-9612
https://www.cvedetails.com/cve/CVE-2025-9612/
https://nvd.nist.gov/vuln/detail/CVE-2025-9613
https://www.cvedetails.com/cve/CVE-2025-9613/
https://nvd.nist.gov/vuln/detail/CVE-2025-9614
https://www.cvedetails.com/cve/CVE-2025-9614/
Published: Wed Dec 10 08:58:46 2025 by llama3.2 3B Q4_K_M
