Since our inception 20 years ago, security has been essential. Hundreds of OEMs and ODM partners have trusted us with enabling the platforms that form the foundation of their products, knowing we share their commitment to make them secure. Product security is a top priority with our company and an area of focus that we continue to improve upon every day.

  • We sit on the security review team of the industry’s leading firmware standards body; the UEFI Security Response Team.
  • We have internal product security experts that drive our Security Development Lifecycle (SDL) process within our BIOS and BMC firmware teams and evaluate existing and emerging threats.
  • We issue regular and timely security alert bulletins when mitigations to vulnerabilities are discovered.
  • We work closely with all of our silicon vendor partners to ensure the timely and critical delivery of microcode updates and other patches.

At Insyde, we work with the broader industry to identify, report, mitigate and disclose security vulnerabilities. We support you, our customers and partners, in closing the door to anything which compromises the security or privacy in your platforms. We take this role seriously, because if your firmware is not secure, your product is not secure.

This is our pledge to you. If you have any questions about Insyde Software’s commitment to security, I urge you to reach out to us at security.report@insyde.com

Tim Lewis, Chief Technology Officer


Insyde Software Security Advisories for InsydeH2O UEFI Firmware:

Common Vulnerabilities and Exposures (CVE) CVSS v3 Vulnerability Severity Description Insyde Security Advisory (SA) Date (MM/DD/YYYY) Last Revised
CVE-2024-1298 5.3 [EDK2] FirmwarePerformancePei: Potential UINT32 overflow and subsequent divide by 0 INSYDE-SA-2024006 09/10/2024 09/10/2024
Common Vulnerabilities and Exposures (CVE) CVSS v3 Vulnerability Severity Description Insyde Security Advisory (SA) Date (MM/DD/YYYY) Last Revised
Multiple 7.4 SMM memory corruption vulnerability could lead to escalating privileges in SMM. (CWE-822) INSYDE-SA-2024001 05/13/2024 05/13/2024
Common Vulnerabilities and Exposures (CVE) CVSS v3 Vulnerability Severity Description Insyde Security Advisory (SA) Date (MM/DD/YYYY) Last Revised
CVE-2023-47252 4.7 PnpSmm: Possible out of bounds in SMM communication buffer, leading to tampering. INSYDE-SA-2023067 04/09/2024 04/09/2024
Common Vulnerabilities and Exposures (CVE) CVSS v3 Vulnerability Severity Description Insyde Security Advisory (SA) Date (MM/DD/YYYY) Last Revised
CVE-2023-28149 6.1 IhisiServiceSmm: A vulnerability in the module that could allow an attacker to modify UEFI variables. INSYDE-SA-2023040 03/12/2024 03/12/2024
Common Vulnerabilities and Exposures (CVE) CVSS v3 Vulnerability Severity Description Insyde Security Advisory (SA) Date (MM/DD/YYYY) Last Revised
Multiple 5.3~8.3 VU#132380
Vulnerabilities in EDK2 NetworkPkg IP stack implementation.
INSYDE-SA-2023066 01/16/2024 09/10/2024
Common Vulnerabilities and Exposures (CVE) CVSS v3 Vulnerability Severity Description Insyde Security Advisory (SA) Date (MM/DD/YYYY) Last Revised
Multiple 7 VU#275256
Vulnerabilities in EDK2 Reference implementation of the UEFI Specification.
INSYDE-SA-2023031 01/09/2024 01/09/2024

Insyde Software Security Advisories for Supervyse BMC Firmware:

Common Vulnerabilities and Exposures (CVE) CVSS v3 Vulnerability Severity Description Insyde Security Advisory (SA) Date (MM/DD/YYYY) Last Revised
Multiple Low Upgrade OpenSSL to 3.2.1 INSYDE-SA-2024009 09/10/2024 09/10/2024
Common Vulnerabilities and Exposures (CVE) CVSS v3 Vulnerability Severity Description Insyde Security Advisory (SA) Date (MM/DD/YYYY) Last Revised
CVE-2024-26306 TBD Upgrade iperf3 to 3.17 INSYDE-SA-2024005 08/19/2024 08/19/2024
Common Vulnerabilities and Exposures (CVE) CVSS v3 Vulnerability Severity Description Insyde Security Advisory (SA) Date (MM/DD/YYYY) Last Revised
Multiple N/A Upgrade libexpat to 2.6.2 INSYDE-SA-2024004 05/13/2024 05/13/2024
Multiple 5.5~8.1 Upgrade libcurl to 8.7.1 INSYDE-SA-2024002 05/13/2024 05/13/2024
Common Vulnerabilities and Exposures (CVE) CVSS v3 Vulnerability Severity Description Insyde Security Advisory (SA) Date (MM/DD/YYYY) Last Revised
Multiple 5.3~6.5 Upgrade to curl version 8.5.0 INSYDE-SA-2023068 03/12/2024 03/12/2024
Common Vulnerabilities and Exposures (CVE) CVSS v3 Vulnerability Severity Description Insyde Security Advisory (SA) Date (MM/DD/YYYY) Last Revised
CVE-2023-38545 9.8 curl: SOCKS5 heap buffer overflow. INSYDE-SA-2023065 01/09/2024 01/09/2024

Past Announcements

2023 Advisories
2022 Advisories
2021 and Previous Years Advisories