Insyde Software Tool Security Advisory

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2019001 Software Escalation of Privilege, Information Disclosure MEDIUM 08/12/2019 09/04/2019


A potential security vulnerability in the Insyde software tools may allow escalation of privilege, or information disclosure. Insyde is releasing software updates to mitigate this potential vulnerability.

Vulnerability Details

CVEID: CVE-2019-12532

Description: Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a BIOS issue.

CVSS Base Score: 6.9 Medium


Affected Insyde Tools:

  • H2OFFT version 3.02~5.28,,
  • H2OOAE before version
  • H2OSDE before version
  • H2OUVE before version
  • H2OPCM before version
  • H2OELV before version


  • Insyde Software has released new version of software tools to hardware manufacturers to mitigate this potential vulnerability.
  • Insyde Software recommends that users contact hardware manufacturers to get updated version of BIOS flash package.


Insyde would like to thank Mickey Shkatov and Jesse Michael from Eclypsium for reporting this issue and working with us on coordinated disclosure.

Revision History:

Revision Date Description
1.0 12-August-2019 Initial Release
1.1 04-September-2019 Update Tool Release Status

Return to Insyde's Security Pledge