CVE-2020-12930 Overview
CVE-2020-12930 is a local privilege escalation vulnerability in AMD Secure Processor (ASP) drivers. The flaw stems from improper parameter handling, allowing an attacker with existing privileges on the system to elevate access and compromise integrity. AMD disclosed the issue through security bulletins SB-1029 and SB-5001, which cover a broad set of Ryzen, Threadripper, Athlon, and Radeon products that ship with affected drivers and firmware.
Critical Impact
A local, privileged attacker can manipulate ASP driver parameters to gain higher privileges, leading to loss of confidentiality, integrity, and availability across affected AMD platforms.
Affected Products
- AMD Enterprise Driver, Radeon Software, and Radeon Pro Software
- AMD Ryzen 2000/3000/5000 series CPUs and APUs (desktop and mobile)
- AMD Ryzen Threadripper and Threadripper PRO 3000/5000 series, Athlon 3000-series, and Radeon RX 5000/Vega GPU firmware
Discovery Timeline
- 2022-11-09 - CVE-2020-12930 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-12930
Vulnerability Analysis
The AMD Secure Processor (ASP), historically known as the Platform Security Processor (PSP), is a dedicated ARM-based coprocessor embedded in AMD CPUs and APUs. It handles sensitive operations such as secure boot, cryptographic key management, fTPM services, and Secure Encrypted Virtualization. Host operating systems communicate with the ASP through kernel-mode drivers bundled with AMD chipset, Radeon, and enterprise driver packages.
CVE-2020-12930 is classified as an improper input validation flaw in those ASP drivers. The drivers expose interfaces that accept caller-supplied parameters when forwarding requests to the secure processor. Because those parameters are not validated correctly, a local actor that already holds privileges on the system can craft inputs that drive the driver into an unintended state, breaking the trust boundary between the host OS and the ASP.
Root Cause
The root cause is insufficient validation of parameters passed into ASP driver entry points. When parameters fall outside expected ranges or describe attacker-controlled memory regions, the driver acts on them without adequate checks, enabling privilege escalation and integrity loss on the underlying platform.
Attack Vector
Exploitation requires local access and existing low-level privileges on the target system. The attacker interacts with the ASP driver from user mode or another privileged context, supplying malformed parameters that the driver fails to reject. Successful exploitation grants the attacker higher privileges and the ability to tamper with components that depend on ASP integrity. No network vector and no user interaction are involved. Refer to the AMD Security Bulletin SB-1029 and AMD Security Bulletin SB-5001 for vendor technical details.
Detection Methods for CVE-2020-12930
Indicators of Compromise
- Loading or interaction with outdated AMD ASP driver binaries shipped with vulnerable chipset, Radeon, or enterprise driver packages.
- Unexpected kernel-mode IOCTL traffic targeting AMD secure processor device objects from non-administrative or unusual user-mode processes.
- Sudden privilege transitions on AMD hosts following local execution of unsigned or unknown binaries that open handles to ASP driver interfaces.
Detection Strategies
- Inventory AMD driver versions across the fleet and flag systems running AMD chipset, Radeon, or enterprise driver versions predating the SB-1029 and SB-5001 fixes.
- Monitor for kernel driver load events and IOCTL activity directed at AMD ASP device names, correlating with the calling process integrity level.
- Hunt for local privilege escalation patterns such as a medium-integrity process spawning high-integrity children shortly after interacting with AMD secure processor drivers.
Monitoring Recommendations
- Forward EDR telemetry covering driver loads, handle opens, and IOCTL calls to a central data lake and retain at least 90 days of history for retrospective hunting.
- Alert on installation or replacement of amdsps.sys, amdpsp.sys, and related AMD kernel modules outside of approved patch windows.
- Track integrity-level changes on AMD endpoints and review token elevation events alongside parent-process context for suspicious sequences.
How to Mitigate CVE-2020-12930
Immediate Actions Required
- Apply the AMD-provided driver and firmware updates referenced in AMD Security Bulletin SB-1029 and AMD Security Bulletin SB-5001 to all affected systems.
- Audit administrative and local accounts on AMD-based endpoints and revoke unnecessary privileged access that could be used to reach the ASP driver.
- Validate that endpoint protection and logging are enabled on every AMD platform listed in the bulletins, including workstations, servers, and Threadripper PRO systems.
Patch Information
AMD released fixed driver packages and AGESA firmware updates documented in AMD Security Bulletin SB-1029 and AMD Security Bulletin SB-5001. System integrators and OEMs distribute the updated firmware through BIOS/UEFI updates, while chipset and graphics driver fixes are delivered through AMD's standard driver downloads. Deploy both the OS-level driver update and the platform firmware update to fully remediate the issue.
Workarounds
- Restrict local interactive logon and remote management access on AMD endpoints to a minimal set of trusted administrators until patches are applied.
- Enforce application allow-listing and block unsigned or unknown executables from loading on systems pending firmware updates.
- Where firmware updates cannot be applied immediately, isolate affected hosts from sensitive networks and increase monitoring of kernel driver interactions.
# Configuration example: identify installed AMD driver versions on Windows endpoints
Get-WmiObject Win32_PnPSignedDriver | \
Where-Object { $_.Manufacturer -like "*AMD*" } | \
Select-Object DeviceName, DriverVersion, DriverDate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

