The Curated Daily
← Back to the archiveDispatch · 5 min read
Dispatch

The RCE that AMD wouldn't fix

By the editors·Friday, June 12, 2026·5 min read
Detailed shot of AMD Ryzen 7 9700X processor held against bright yellow background.
Photograph by Andrey Matveev · Pexels

In the world of finance, cybersecurity isn’t just an IT issue; it's a material risk impacting stock prices, investor confidence, and the stability of entire sectors. Recently, a significant security flaw in AMD processors – a Remote Code Execution (RCE) vulnerability – gained attention, but perhaps not enough attention, particularly within financial circles. While AMD initially downplayed the severity and ultimately decided not to issue a patch for a wide range of older processors, the fallout could be substantial. This article will break down the vulnerability, its potential financial impact, and what steps investors and businesses should take to mitigate the risks.

What is the AMD RCE Vulnerability? (CVE-2023-20591)

The vulnerability, tracked as CVE-2023-20591, resides within the AMD Platform Security Processor (PSP). The PSP is a dedicated security subsystem integrated into many AMD CPUs, responsible for features like Secure Boot and memory encryption. Security researchers discovered that a flaw in the PSP firmware allows for remote code execution. This means a malicious actor could potentially gain control of a system without needing physical access or user interaction.

Essentially, an attacker could exploit this vulnerability to:

  • Install malware: Including ransomware, spyware, and keyloggers.
  • Steal sensitive data: Accessing financial records, intellectual property, and customer information.
  • Disrupt operations: Causing system crashes, data corruption, and network outages.
  • Gain persistent access: Maintaining control of the system even after reboots.

Why Didn’t AMD Issue a Patch?

This is where the story takes a particularly concerning turn. AMD opted not to release a firmware update to address the vulnerability for many older processors. Their justification? The complexity and risk associated with updating the PSP firmware on those platforms. They claimed that attempting a fix could potentially brick the processors, rendering them unusable.

AMD stated the risk of successful exploitation was low, requiring a physically accessible attacker, and offered mitigation guidance to customers. However, security experts widely criticized this decision. The “low risk” assessment was disputed, and the lack of a patch left millions of systems vulnerable, particularly those in environments where physical security isn’t guaranteed. Furthermore, even if physical access is limited, supply chain attacks are a real concern - malicious actors could compromise systems before they even reach the end-user.

The Financial Implications: A Multi-Layered Risk

The AMD RCE vulnerability isn’t just a technical problem; it represents a genuine financial risk across several layers.

1. Stock Market Impact: AMD's Reputation and Future Sales

The initial news of the vulnerability, and especially the controversial decision not to patch, negatively impacted investor confidence in AMD. While the immediate stock dip wasn’t catastrophic, the event raises questions about AMD’s commitment to security and its long-term reputation. A loss of trust can translate to decreased sales, especially in sectors requiring high levels of security like data centers and government contracts.

2. Corporate Losses: Data Breaches & Operational Disruptions

For businesses relying on vulnerable AMD processors, the potential financial losses are far more direct. A successful exploit could lead to:

  • Data breach costs: Including legal fees, regulatory fines (GDPR, CCPA, etc.), notification costs, and credit monitoring services. These costs can easily run into the millions, even billions, of dollars.
  • Reputational damage: Loss of customer trust and brand value.
  • Operational downtime: Lost productivity, revenue, and potentially, contractual penalties.
  • Remediation costs: The expense of investigating the breach, cleaning up infected systems, and enhancing security measures.
  • Supply chain disruption: If AMD-powered servers are compromised, it can impact the entire supply chain, leading to widespread losses.

3. Financial Institutions: A Prime Target

Financial institutions are particularly vulnerable. The sensitive data they handle – account details, transaction records, personal identification information – makes them prime targets for cyberattacks. A breach at a bank or investment firm could have devastating consequences, not just for the institution itself, but also for its customers and the broader financial system. The cost of recovery, coupled with the loss of public trust, would be immense.

4. Indirect Costs: Increased Insurance Premiums and Compliance Costs

Even if a business isn’t directly breached, the AMD vulnerability could lead to increased cybersecurity insurance premiums. Insurers are likely to view older, unpatched systems as a higher risk and charge accordingly. Furthermore, organizations may need to invest in additional security controls and compliance measures to mitigate the risk, further increasing costs.

Which Systems Are Affected? (And What Can You Do?)

The vulnerability affects a wide range of AMD Ryzen, EPYC, and Athlon processors. Here's a simplified breakdown (note: this is not exhaustive. Consult AMD's security bulletin for a complete list):

| Processor Family | Affected Processors (Examples) | Patch Availability |

|---|---|---| | Ryzen 1000 Series | Ryzen 5 1600, Ryzen 7 1800X | No Patch | | Ryzen 2000 Series | Ryzen 5 2600, Ryzen 7 2700X | No Patch | | Ryzen 3000 Series | Ryzen 5 3600, Ryzen 9 3900X | Limited Patch (Some models) | | EPYC 7001 Series | EPYC 7402P, EPYC 7551 | Limited Patch (Some models) | | Athlon 200 Series | Athlon 200GE, Athlon 300GE | No Patch |

Mitigation Steps (Even Without a Patch):

  • Enable Secure Boot: This helps to ensure that only trusted software loads during startup.
  • Strong Physical Security: Restrict physical access to servers and workstations.
  • Network Segmentation: Isolate critical systems from the broader network.
  • Regular Security Audits: Identify and address potential vulnerabilities.
  • Intrusion Detection/Prevention Systems (IDS/IPS): Monitor network traffic for malicious activity.
  • Virtualization: Utilize virtualization technologies to isolate workloads and limit the impact of a potential breach. https://example.com/ - Consider investing in robust virtualization software.
  • Keep other software updated: Ensure your operating systems and applications are up-to-date with the latest security patches.

The Broader Implications for the Tech Industry

The AMD RCE vulnerability highlights a critical dilemma for tech companies. Balancing security with usability and maintaining backward compatibility is a constant challenge. AMD’s decision, while arguably pragmatic from an engineering perspective, raises ethical questions about their responsibility to protect customers, even those using older hardware.

This incident serves as a stark reminder that:

  • Security is a continuous process: It's not a one-time fix.
  • Transparency is crucial: Companies need to be upfront about vulnerabilities and the risks they pose.
  • Long-term support is vital: Vendors should provide adequate security support for their products throughout their lifecycle.

Conclusion: Proactive Security is Paramount

The AMD RCE vulnerability is a wake-up call for investors and businesses alike. Ignoring this risk is not an option. While AMD’s decision not to patch is concerning, organizations can take proactive steps to mitigate the potential impact. A layered security approach, coupled with diligent monitoring and incident response planning, is essential. Ultimately, prioritizing cybersecurity is not just about protecting data; it's about protecting financial stability and ensuring long-term success.

Disclaimer:

This article is for informational purposes only and should not be considered financial or investment advice. The author has no affiliation with AMD. Affiliate links may be included, and we may earn a commission if you make a purchase through those links. This does not influence our editorial content.

Pass it onX·LinkedIn·Reddit·Email
The Sunday note

If this was your kind of read.

Sign up for the morning email — short, hand-written, and sent only when there's something worth your time.

Free, sent from a person, not a system. Unsubscribe in one click whenever.