RMPocalypse Flaw (CVE-2025-0033) Bypasses AMD SEV-SNP

A critical vulnerability has been discovered in AMD’s SEV-SNP hardware protection architecture — widely deployed by major cloud providers such as AWS, Microsoft Azure and Google Cloud — that allows a malicious hypervisor to compromise encrypted virtual machines and obtain unfettered access to their memory. Dubbed RMPocalypse, the exploit subverts the foundational confidentiality and integrity guarantees upon which the SEV-SNP trusted-execution model is built.

The research, presented at ACM CCS 2025 in Taipei, details how the flaw is abused during initialization of SEV-SNP’s key structural table, the Reverse Map Table (RMP). The RMP maps host physical addresses to guest virtual pages and is intended to prevent page-remapping attacks that plagued earlier SEV generations. Crucially, however, the RMP does not yet exist at the earliest stage of boot, and therefore cannot defend itself against writes originating from x86 cores that run concurrently with its initialization.

Tracked as CVE-2025-0033 (CVSS 8.2), the issue affects AMD processors on Zen 3, Zen 4 and Zen 5 microarchitectures — including EPYC server chips heavily used in cloud infrastructure. The problem is a classic catch-22: the RMP must protect itself from modification, but the protective mechanisms are not yet active during its own construction. The Platform Security Processor (PSP), an ARM-based coprocessor, is responsible for creating Trusted Memory Regions (TMR) on the memory controller and for blocking x86 cores from writing to memory during this window. As ETH Zurich researchers Benedict Schlüter and Shweta Shinde demonstrate, those protections prove insufficient.

Asynchronous execution of x86 cores permits dirty cache lines to be written into RMP memory before the PSP fully enforces protection. When TMRs are removed after initialization, these uncleansed cache lines are flushed to DRAM, silently overwriting the freshly constructed RMP with attacker-controlled values. Experiments on EPYC 9135 (Zen 5), 9124 (Zen 4) and 7313 (Zen 3) confirmed reliable overwrites — with Zen 3 particularly susceptible due to coherence issues. Although PSP firmware contains hints of mitigations, such as cache flush routines, the absence of a global TLB/clean mechanism and the opacity of some components thwart effective defense.

RMPocalypse enables an attacker to place protected pages in a state amenable to arbitrary hypervisor modification, yielding four practical attack vectors:

1. Attestation forgery. An adversary can substitute context pages with older encrypted copies, deceiving the guest into trusting a tampered VM image. Context pages lack cryptographic integrity signatures and are therefore writable.
2. Enabling debug mode. By flipping a single bit in the context policy, the attacker can trigger the SNPDEBUGDECRYPT/ENCRYPT API, granting the hypervisor full memory access to the confidential VM — an operation that can be performed in under ~15 ms with >99.9% reliability, and without breaking attestation.
3. VMSA state replay. This vector restores virtual machine registers to a prior snapshot, undermining execution integrity and enabling rollback to vulnerable states.
4. Arbitrary code injection. Through SNPPAGEMOVE manipulation of tweak values, an attacker can inject malicious payloads (for example, network packets) directly into kernel code, circumventing cryptographic protections and ASLR; the entire sequence can complete in roughly 5 ms.

In short, SEV-SNP’s protections collapse in the presence of an untrusted hypervisor — a scenario fatal for workloads handling sensitive data, from corporate applications to AI models and cloud storage.

AMD has acknowledged the vulnerability and is working on patches, but at publication time no fix had been released for the affected processors. As interim mitigations, researchers recommend hardening core-level barriers: perform pre-TMR cache validation, enforce a forced global cache and TLB purge after RMP construction, or otherwise ensure deterministic cache/TLB coherence before removing protection windows. Implementing these measures on Zen 3 is complicated by its coherence behavior and may require additional synchronization primitives.

RMPocalypse joins prior microarchitectural exploits such as CacheWarp and Heckler in underscoring how fragile even advanced confidential-computing technologies remain. Although AMD has partially opened PSP firmware sources, opaque components continue to impede comprehensive analysis and remediation. Because the vulnerability can be triggered in well under 234 ms during the SNPINITEX phase, the community must reassess the degree of trust placed in hardware security mechanisms.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy