Ethical Hacking News
Researchers have identified a new Spectre-based vulnerability dubbed VMSCAPE that allows malicious actors to leak secrets from hypervisors in cloud environments. This latest attack targets the KVM and QEMU, affecting AMD Zen 1-5 processors and Intel Coffee Lake processors, and has been described in a paper set to be presented at the 47th IEEE Symposium on Security and Privacy.
The researchers at ETH Zurich have identified a new variant of Spectre-based transient execution vulnerability called VMSCAPE (CVE-2025-40300). The attack allows a malicious guest user in a cloud environment to leak secrets from the hypervisor without any code changes or injected Return-oriented programming gadgets. The technique targets KVM and QEMU, affecting both AMD Zen 1-5 processors and Intel Coffee Lake processors. Hardware fixes are deemed infeasible due to the nature of the attack, leading to software patches with significant performance costs. Cybersecurity experts urge cloud users to review security protocols and implement additional measures to prevent such attacks.
In a recent revelation, researchers from ETH Zurich have identified yet another variant of the infamous Spectre-based transient execution vulnerability, dubbed VMSCAPE (CVE-2025-40300). This newly discovered attack is said to be the first Spectre-based exploit that allows a malicious guest user in a cloud environment to leak secrets from the hypervisor in the host domain without any code changes or injected Return-oriented programming gadgets. The technique, described in a paper published on Thursday, targets the Kernel Virtual Machine (KVM) and QEMU (Quick Emulator), as the hypervisor and as the userspace component of the hypervisor in the host.
Cloud computing relies heavily on virtualization to securely partition physical computing resources into virtual ones, managed by a hypervisor. The VMSCAPE attack exploits the incomplete branch predictor isolation in cloud environments, allowing it to bypass the security measures designed to protect against Spectre-like attacks. This vulnerability affects both AMD Zen 1-5 processors and Intel Coffee Lake processors, which were introduced in 2017.
Due to the nature of this attack, hardware fixes are deemed infeasible by the authors. Therefore, Linux maintainers have addressed the issue in software, but at a significant performance cost. The authors note that VMSCAPE can leak the memory of the QEMU process at a rate of 32 B/s on AMD Zen 4 and successfully extracts the cryptographic key used for disk encryption/decryption within 772 seconds.
This latest Spectre variant is part of a broader concern surrounding processor microarchitecture vulnerabilities, which have allowed attackers to access sensitive host memory to varying degrees since its disclosure in 2018, alongside another flaw known as Meltdown. The discovery of VMSCAPE highlights the ongoing cat-and-mouse game between security researchers and malicious actors, with each side pushing the boundaries of what is thought possible.
Cybersecurity experts are urging cloud users and administrators to review their current security protocols and consider implementing additional measures to prevent such attacks from compromising sensitive information in virtualized environments. While hardware fixes may be impractical at this stage, the development of software patches has provided a temporary solution, albeit with performance overheads.
The specter (pun intended) of transient execution vulnerabilities continues to cast a long shadow over the realm of cybersecurity, highlighting the ongoing need for robust security measures and continuous vigilance in protecting sensitive information from even the most sophisticated attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Shadows-of-Spectre-A-New-Transient-Execution-Vulnerability-Exposes-Cloud-Secrets-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/09/11/vmscape_spectre_vulnerability/
Published: Thu Sep 11 10:41:32 2025 by llama3.2 3B Q4_K_M
