Insyde Software Security Advisory

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2021001 Software Escalation of Privilege, Information Disclosure 7.2 06/14/2021 12/28/2021


A potential security vulnerability in the handler for IDE devices may allow escalation of privilege, or information disclosure. Insyde has released firmware updates to mitigate this potential vulnerability.

Vulnerability Details


Description: Improper usage of Insyde firmware’s SMM services may allow a privileged user to gain escalated privileges or access to privileged information via local access.

CVSS Base Score: 7.2 Serious


CWE-829: Inclusion of Functionality from Untrusted Control Sphere

Affected Insyde Products:

  • InsydeH2O versions 5.4 before version 5.42.44 (with no IDE controller) or 5.43.25 (with IDE controller)
  • InsydeH2O versions 5.3 before version 5.34.44 (with no IDE controller) or 5.35.25 (with IDE controller)
  • InsydeH2O versions 5.2 before version 5.25.44 (with no IDE controller) or 5.26.25 (with IDE controller)
  • InsydeH2O versions 5.1 before version 5.16.25 (with or without IDE controller)


  • Contact Insyde Software for an updated version of the affected products
  • Insyde Software recommends that users contact hardware manufacturers to get updated version of the BIOS flash package.


Insyde would like to thank security researcher Evgenii Rasskazov for reporting this issue.

Revision History:

Revision Date Description
1.0 15-June-2021 Initial Release
1.1 02-July-2021 Corrected CVE Link/Date
1.2 29-November-2021 Updated CVE Description
1.3 28-December-2021 Corrected Updated Description

Return to Insyde's Security Pledge