Phoenix attack bypasses Rowhammer defenses in DDR5 memory
Summary
Hide ▲
Show ▼
A new Rowhammer attack variant, Phoenix, bypasses DDR5 Rowhammer defenses in SK Hynix memory chips. The attack exploits specific refresh intervals and synchronization methods to flip bits, enabling privilege escalation, data corruption, or unauthorized access. The vulnerability, tracked as CVE-2025-6202, affects all DDR5 DIMM RAM modules produced between January 2021 and December 2024. The attack was developed by researchers at ETH Zurich University and Google, who demonstrated its effectiveness on 15 DDR5 memory chips. The vulnerability allows attackers to gain root privileges in under two minutes on a commodity DDR5 system. The attack can exploit RSA-2048 keys of a co-located virtual machine to break SSH authentication and use the sudo binary to escalate local privileges to the root user. Mitigation involves tripling the DRAM refresh interval, but this may cause system instability.
Timeline
-
15.09.2025 21:01 2 articles · 14d ago
Phoenix attack bypasses Rowhammer defenses in DDR5 memory
The Phoenix attack can exploit RSA-2048 keys of a co-located virtual machine to break SSH authentication. The attack can use the sudo binary to escalate local privileges to the root user. The attack bypasses advanced TRR defenses on DDR5 memory. The attack can obtain root on a DDR5 system with default settings in as little as 109 seconds. The attack exploits the fact that mitigation does not sample certain refresh intervals to flip bits on all 15 DDR5 memory chips in the test pool that were produced between 2021 and 2024.
Show sources
- New Phoenix attack bypasses Rowhammer defenses in DDR5 memory — www.bleepingcomputer.com — 15.09.2025 21:01
- Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds — thehackernews.com — 16.09.2025 10:27
Information Snippets
-
Phoenix is a new Rowhammer attack variant that bypasses DDR5 Rowhammer defenses.
First reported: 15.09.2025 21:012 sources, 2 articlesShow sources
- New Phoenix attack bypasses Rowhammer defenses in DDR5 memory — www.bleepingcomputer.com — 15.09.2025 21:01
- Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds — thehackernews.com — 16.09.2025 10:27
-
The attack exploits specific refresh intervals and synchronization methods to flip bits.
First reported: 15.09.2025 21:012 sources, 2 articlesShow sources
- New Phoenix attack bypasses Rowhammer defenses in DDR5 memory — www.bleepingcomputer.com — 15.09.2025 21:01
- Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds — thehackernews.com — 16.09.2025 10:27
-
The vulnerability affects all DDR5 DIMM RAM modules produced between January 2021 and December 2024.
First reported: 15.09.2025 21:012 sources, 2 articlesShow sources
- New Phoenix attack bypasses Rowhammer defenses in DDR5 memory — www.bleepingcomputer.com — 15.09.2025 21:01
- Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds — thehackernews.com — 16.09.2025 10:27
-
The attack was developed by researchers at ETH Zurich University and Google.
First reported: 15.09.2025 21:012 sources, 2 articlesShow sources
- New Phoenix attack bypasses Rowhammer defenses in DDR5 memory — www.bleepingcomputer.com — 15.09.2025 21:01
- Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds — thehackernews.com — 16.09.2025 10:27
-
The vulnerability allows attackers to gain root privileges in under two minutes on a commodity DDR5 system.
First reported: 15.09.2025 21:012 sources, 2 articlesShow sources
- New Phoenix attack bypasses Rowhammer defenses in DDR5 memory — www.bleepingcomputer.com — 15.09.2025 21:01
- Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds — thehackernews.com — 16.09.2025 10:27
-
The attack can corrupt data, increase privileges, execute malicious code, or gain access to sensitive data.
First reported: 15.09.2025 21:011 source, 1 articleShow sources
- New Phoenix attack bypasses Rowhammer defenses in DDR5 memory — www.bleepingcomputer.com — 15.09.2025 21:01
-
Mitigation involves tripling the DRAM refresh interval, but this may cause system instability.
First reported: 15.09.2025 21:012 sources, 2 articlesShow sources
- New Phoenix attack bypasses Rowhammer defenses in DDR5 memory — www.bleepingcomputer.com — 15.09.2025 21:01
- Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds — thehackernews.com — 16.09.2025 10:27
-
The vulnerability is tracked as CVE-2025-6202 and received a high-severity score.
First reported: 15.09.2025 21:011 source, 1 articleShow sources
- New Phoenix attack bypasses Rowhammer defenses in DDR5 memory — www.bleepingcomputer.com — 15.09.2025 21:01
-
The attack can exploit RSA-2048 keys of a co-located virtual machine to break SSH authentication.
First reported: 16.09.2025 10:271 source, 1 articleShow sources
- Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds — thehackernews.com — 16.09.2025 10:27
-
The attack can use the sudo binary to escalate local privileges to the root user.
First reported: 16.09.2025 10:271 source, 1 articleShow sources
- Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds — thehackernews.com — 16.09.2025 10:27
-
The attack bypasses advanced TRR defenses on DDR5 memory.
First reported: 16.09.2025 10:271 source, 1 articleShow sources
- Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds — thehackernews.com — 16.09.2025 10:27
-
The attack can obtain root on a DDR5 system with default settings in as little as 109 seconds.
First reported: 16.09.2025 10:271 source, 1 articleShow sources
- Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds — thehackernews.com — 16.09.2025 10:27
-
The attack exploits the fact that mitigation does not sample certain refresh intervals to flip bits on all 15 DDR5 memory chips in the test pool that were produced between 2021 and 2024.
First reported: 16.09.2025 10:271 source, 1 articleShow sources
- Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds — thehackernews.com — 16.09.2025 10:27
Similar Happenings
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.
Cisco IOS and IOS XE SNMP Zero-Day Exploited in Attacks
Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software.
Supermicro BMC Firmware Vulnerabilities Allow Firmware Tampering
Two medium-severity vulnerabilities in Supermicro Baseboard Management Controller (BMC) firmware allow attackers to bypass firmware verification and update the system with malicious firmware. These vulnerabilities, CVE-2025-7937 and CVE-2025-6198, exploit flaws in the cryptographic signature verification process. The vulnerabilities affect the Root of Trust (RoT) security feature, potentially allowing attackers to gain persistent control over the BMC system and the main server OS. The issues were discovered by Binarly, a firmware security company. Supermicro has released firmware fixes for impacted models, and Binarly has released proof-of-concept exploits for both vulnerabilities. CVE-2025-7937 is a bypass for a previously disclosed vulnerability, CVE-2024-10237, which was reported by NVIDIA. CVE-2025-6198 bypasses the BMC RoT security feature, raising concerns about the reuse of cryptographic signing keys.
ShadowLeak: Undetectable Email Theft via AI Agents
A new attack vector, dubbed ShadowLeak, allows hackers to invisibly steal emails from users who integrate AI agents like ChatGPT with their email inboxes. The attack exploits the lack of visibility into AI processing on cloud infrastructure, making it undetectable to the user. The vulnerability was discovered by Radware and reported to OpenAI, which addressed it in August 2025. The attack involves embedding malicious code in emails, which the AI agent processes and acts upon without user awareness. The attack leverages an indirect prompt injection hidden in email HTML, using techniques like tiny fonts, white-on-white text, and layout tricks to remain undetected by the user. The attack can be extended to any connector that ChatGPT supports, including Box, Dropbox, GitHub, Google Drive, HubSpot, Microsoft Outlook, Notion, or SharePoint. The ShadowLeak attack targets users who connect AI agents to their email inboxes, such as those using ChatGPT with Gmail. The attack is non-detectable and leaves no trace on the user's network. The exploit involves embedding malicious code in emails, which the AI agent processes and acts upon, exfiltrating sensitive data to an attacker-controlled server. OpenAI acknowledged and fixed the issue in August 2025, but the exact details of the fix remain unclear. The exfiltration in ShadowLeak occurs directly within OpenAI's cloud environment, bypassing traditional security controls.
Gentlemen Ransomware Exploits Vulnerable Driver to Disable Security Software
The Gentlemen ransomware gang is using a vulnerable driver to disable security software in enterprise environments. The group employs a bring-your-own-vulnerable-driver (BYOVD) attack to terminate antivirus and extended detection and response (EDR) processes. The ransomware exploits CVE-2025-7771, a high-severity vulnerability in the ThrottleStop driver. The gang has demonstrated advanced capabilities, including tailored bypasses for specific security vendors. The attacks have been observed since this summer, with the group adapting its tactics mid-campaign. The use of legitimate, signed drivers complicates detection and defense. The ransomware was first observed this summer. The Gentlemens have been exploiting vulnerable, Internet-facing infrastructure and VPNs in their attacks. The group uses PowerRun.exe and Allpatch2.exe to escalate privileges and disable security products. Organizations are advised to implement zero-trust controls and monitor for unusual process combinations to defend against these attacks.