CVE-2024-28127

High

Published: 12 February 2025

Published

12 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0002 6.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Improper input validation in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

Security Summary

CVE-2024-28127 is an improper input validation vulnerability, classified under CWE-20, affecting the UEFI firmware for some Intel(R) Processors. Published on 2025-02-12, it carries a CVSS v3.1 base score of 7.5 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity with local attack vector, high attack complexity, and requirements for high privileges.

The vulnerability can be exploited by a privileged user with local access, potentially enabling escalation of privilege. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, compounded by a change in scope that amplifies the consequences beyond the vulnerable component.

Intel's security advisory INTEL-SA-01139 provides details on the issue at https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html. Debian LTS has also issued an announcement related to this CVE at https://lists.debian.org/debian-lts-announce/2025/03/msg00021.html.

Details

CWE(s): CWE-20

References

https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
secure@intel.com
https://lists.debian.org/debian-lts-announce/2025/03/msg00021.html
af854a3a-2127-422b-91ae-364da2661108