Cyber Resilience

CVE-2023-29164

MediumLPE

Published: 12 February 2025

Published
12 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 5.8 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 15.6th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29164 is a medium-severity Improper Access Control (CWE-284) vulnerability in Intel (inferred from references). Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-29164 is an improper access control vulnerability (CWE-284) affecting the Baseboard Management Controller (BMC) Firmware on specific Intel Server Boards. The impacted products include Intel Server Board S2600WF, S2600ST, and S2600BP versions prior to 02.01.0017, as well as Intel Server Board M50CYP and D50TNP versions prior to R01.01.0009. The vulnerability, published on 2025-02-12, carries a CVSS v3.1 base score of 7.3 (High), with vector AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N.

An attacker with local access and low-privilege authenticated user permissions can exploit this issue with low attack complexity and no user interaction. Exploitation enables privilege escalation, allowing the attacker to gain elevated access on the BMC. This results in low confidentiality impact, high integrity impact, and no availability impact, with the changed scope amplifying the severity.

Intel's security advisory (INTEL-SA-00990), available at https://intel.com/content/www/us/en/security-center/advisory/intel-sa-00990.html, details the vulnerability and mitigation steps, which include updating the affected BMC Firmware to version 02.01.0017 or later for S2600WF, S2600ST, and S2600BP boards, and R01.01.0009 or later for M50CYP and D50TNP boards.

EU & UK References

Vulnerability details

Improper access control in BMC Firmware for the Intel(R) Server Board S2600WF, Intel(R) Server Board S2600ST, Intel(R) Server Board S2600BP, before version 02.01.0017 and Intel(R) Server Board M50CYP and Intel(R) Server Board D50TNP before version R01.01.0009 may allow an authenticated…

more

user to enable escalation of privilege via local access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via improper access control in BMC firmware matches Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-48898Shared CWE-284
CVE-2026-25176Shared CWE-284
CVE-2026-48899Shared CWE-284
CVE-2026-37526Shared CWE-284
CVE-2024-56883Shared CWE-284
CVE-2026-42823Shared CWE-284
CVE-2026-0844Shared CWE-284
CVE-2026-41086Shared CWE-284
CVE-2026-35242Shared CWE-284
CVE-2026-33834Shared CWE-284

Affected Assets

Intel
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the improper access control flaw by requiring timely firmware updates to the specified fixed versions for affected Intel Server Boards.

prevent

Enforces approved authorizations in the BMC firmware to prevent low-privilege authenticated users from escalating privileges via local access.

prevent

Applies least privilege to BMC user accounts, limiting the scope and impact of privilege escalation even if access enforcement is flawed.

References