CVE-2019-14607 [Medium] | Information Disclosure in Xeon Platinum 9282 Firmware

CVE-2019-14607 is rated Low Risk (30.5/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.34%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.15%	0.34%	+0.19%
2	2025-11-21	0.07%	0.15%	+0.09%
3	2025-11-18	—	0.07%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.15%

0.34%

+0.19%

2025-11-21

0.07%

0.15%

+0.09%

2025-11-18

—

0.07%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.3	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:L) Might cause slowdowns, glitches, or partial disruption—not a full brick.	1.8	3.4	[email protected]
4.6	2.0	MEDIUM	`AV:L/AC:L/Au:N/C:P/I:P/A:P` Click to expand Access vector (AV:L) Requires local access to the target system. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	3.9	6.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.3

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L): Might cause slowdowns, glitches, or partial disruption—not a full brick.

1.8

3.4

[email protected]

4.6

2.0

MEDIUM

AV:L/AC:L/Au:N/C:P/I:P/A:P Click to expand

Access vector (AV:L): Requires local access to the target system.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

3.9

6.4

[email protected]

OS Trackers for CVE-2019-14607

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2019-14607 not yet assigned priority: Debian including 1 source packages (intel-microcode), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2019-14607
`suse`	medium	CVE-2019-14607 severity moderate: SUSE including 1 source package names (ucode-intel), 16 product×package rows across 16 product lines (SUSE CaaS Platform 3.0, SUSE Linux Enterprise Desktop 12 SP4, … (16 product lines)): Known Not Affected 16.	https://www.suse.com/security/cve/CVE-2019-14607/
`ubuntu`	medium	CVE-2019-14607 medium priority: Ubuntu including 1 source packages (intel-microcode), 6 status rows across 6 suites (bionic, disco, eoan, trusty, upstream, xenial): released 5, needs-triage 1.	https://ubuntu.com/security/CVE-2019-14607

Affected software / configurations for CVE-2019-14607

Vendor	Product	Version	Raw CPE
intel	xeon_platinum_9282_firmware	—	cpe:2.3:o:intel:xeon_platinum_9282_firmware:-:::::::*
intel	xeon_platinum_9242_firmware	—	cpe:2.3:o:intel:xeon_platinum_9242_firmware:-:::::::*
intel	xeon_platinum_9222_firmware	—	cpe:2.3:o:intel:xeon_platinum_9222_firmware:-:::::::*
intel	xeon_platinum_9221_firmware	—	cpe:2.3:o:intel:xeon_platinum_9221_firmware:-:::::::*
intel	xeon_platinum_8280m_firmware	—	cpe:2.3:o:intel:xeon_platinum_8280m_firmware:-:::::::*
intel	xeon_platinum_8280l_firmware	—	cpe:2.3:o:intel:xeon_platinum_8280l_firmware:-:::::::*
intel	xeon_platinum_8280_firmware	—	cpe:2.3:o:intel:xeon_platinum_8280_firmware:-:::::::*
intel	xeon_platinum_8276m_firmware	—	cpe:2.3:o:intel:xeon_platinum_8276m_firmware:-:::::::*
intel	xeon_platinum_8276l_firmware	—	cpe:2.3:o:intel:xeon_platinum_8276l_firmware:-:::::::*
intel	xeon_platinum_8276_firmware	—	cpe:2.3:o:intel:xeon_platinum_8276_firmware:-:::::::*
intel	xeon_platinum_8270_firmware	—	cpe:2.3:o:intel:xeon_platinum_8270_firmware:-:::::::*
intel	xeon_platinum_8268_firmware	—	cpe:2.3:o:intel:xeon_platinum_8268_firmware:-:::::::*
intel	xeon_platinum_8260y_firmware	—	cpe:2.3:o:intel:xeon_platinum_8260y_firmware:-:::::::*
intel	xeon_platinum_8260m_firmware	—	cpe:2.3:o:intel:xeon_platinum_8260m_firmware:-:::::::*
intel	xeon_platinum_8260l_firmware	—	cpe:2.3:o:intel:xeon_platinum_8260l_firmware:-:::::::*
intel	xeon_platinum_8260_firmware	—	cpe:2.3:o:intel:xeon_platinum_8260_firmware:-:::::::*
intel	xeon_platinum_8256_firmware	—	cpe:2.3:o:intel:xeon_platinum_8256_firmware:-:::::::*
intel	xeon_platinum_8253_firmware	—	cpe:2.3:o:intel:xeon_platinum_8253_firmware:-:::::::*
intel	xeon_gold_6262v_firmware	—	cpe:2.3:o:intel:xeon_gold_6262v_firmware:-:::::::*
intel	xeon_gold_6254_firmware	—	cpe:2.3:o:intel:xeon_gold_6254_firmware:-:::::::*
intel	xeon_gold_6252n_firmware	—	cpe:2.3:o:intel:xeon_gold_6252n_firmware:-:::::::*
intel	xeon_gold_6252_firmware	—	cpe:2.3:o:intel:xeon_gold_6252_firmware:-:::::::*
intel	xeon_gold_6248_firmware	—	cpe:2.3:o:intel:xeon_gold_6248_firmware:-:::::::*
intel	xeon_gold_6246_firmware	—	cpe:2.3:o:intel:xeon_gold_6246_firmware:-:::::::*
intel	xeon_gold_6244_firmware	—	cpe:2.3:o:intel:xeon_gold_6244_firmware:-:::::::*
intel	xeon_gold_6242_firmware	—	cpe:2.3:o:intel:xeon_gold_6242_firmware:-:::::::*
intel	xeon_gold_6240y_firmware	—	cpe:2.3:o:intel:xeon_gold_6240y_firmware:-:::::::*
intel	xeon_gold_6240m_firmware	—	cpe:2.3:o:intel:xeon_gold_6240m_firmware:-:::::::*
intel	xeon_gold_6240l_firmware	—	cpe:2.3:o:intel:xeon_gold_6240l_firmware:-:::::::*
intel	xeon_gold_6240_firmware	—	cpe:2.3:o:intel:xeon_gold_6240_firmware:-:::::::*
intel	xeon_gold_6238t_firmware	—	cpe:2.3:o:intel:xeon_gold_6238t_firmware:-:::::::*
intel	xeon_gold_6238m_firmware	—	cpe:2.3:o:intel:xeon_gold_6238m_firmware:-:::::::*
intel	xeon_gold_6238l_firmware	—	cpe:2.3:o:intel:xeon_gold_6238l_firmware:-:::::::*
intel	xeon_gold_6238_firmware	—	cpe:2.3:o:intel:xeon_gold_6238_firmware:-:::::::*
intel	xeon_gold_6234_firmware	—	cpe:2.3:o:intel:xeon_gold_6234_firmware:-:::::::*
intel	xeon_gold_6230t_firmware	—	cpe:2.3:o:intel:xeon_gold_6230t_firmware:-:::::::*
intel	xeon_gold_6230n_firmware	—	cpe:2.3:o:intel:xeon_gold_6230n_firmware:-:::::::*
intel	xeon_gold_6230_firmware	—	cpe:2.3:o:intel:xeon_gold_6230_firmware:-:::::::*
intel	xeon_gold_6226_firmware	—	cpe:2.3:o:intel:xeon_gold_6226_firmware:-:::::::*
intel	xeon_gold_6222v_firmware	—	cpe:2.3:o:intel:xeon_gold_6222v_firmware:-:::::::*
intel	xeon_gold_5222_firmware	—	cpe:2.3:o:intel:xeon_gold_5222_firmware:-:::::::*
intel	xeon_gold_5220t_firmware	—	cpe:2.3:o:intel:xeon_gold_5220t_firmware:-:::::::*
intel	xeon_gold_5220s_firmware	—	cpe:2.3:o:intel:xeon_gold_5220s_firmware:-:::::::*
intel	xeon_gold_5220_firmware	—	cpe:2.3:o:intel:xeon_gold_5220_firmware:-:::::::*
intel	xeon_gold_5218t_firmware	—	cpe:2.3:o:intel:xeon_gold_5218t_firmware:-:::::::*
intel	xeon_gold_5218n_firmware	—	cpe:2.3:o:intel:xeon_gold_5218n_firmware:-:::::::*
intel	xeon_gold_5218b_firmware	—	cpe:2.3:o:intel:xeon_gold_5218b_firmware:-:::::::*
intel	xeon_gold_5218_firmware	—	cpe:2.3:o:intel:xeon_gold_5218_firmware:-:::::::*
intel	xeon_gold_5217_firmware	—	cpe:2.3:o:intel:xeon_gold_5217_firmware:-:::::::*
intel	xeon_gold_5215m_firmware	—	cpe:2.3:o:intel:xeon_gold_5215m_firmware:-:::::::*
intel	xeon_gold_5215l_firmware	—	cpe:2.3:o:intel:xeon_gold_5215l_firmware:-:::::::*
intel	xeon_gold_5215_firmware	—	cpe:2.3:o:intel:xeon_gold_5215_firmware:-:::::::*
intel	xeon_silver_4216_firmware	—	cpe:2.3:o:intel:xeon_silver_4216_firmware:-:::::::*
intel	xeon_silver_4215_firmware	—	cpe:2.3:o:intel:xeon_silver_4215_firmware:-:::::::*
intel	xeon_silver_4214y_firmware	—	cpe:2.3:o:intel:xeon_silver_4214y_firmware:-:::::::*
intel	xeon_silver_4214_firmware	—	cpe:2.3:o:intel:xeon_silver_4214_firmware:-:::::::*
intel	xeon_silver_4210_firmware	—	cpe:2.3:o:intel:xeon_silver_4210_firmware:-:::::::*
intel	xeon_silver_4209t_firmware	—	cpe:2.3:o:intel:xeon_silver_4209t_firmware:-:::::::*
intel	xeon_silver_4208_firmware	—	cpe:2.3:o:intel:xeon_silver_4208_firmware:-:::::::*
intel	xeon_bronze_3204_firmware	—	cpe:2.3:o:intel:xeon_bronze_3204_firmware:-:::::::*
intel	xeon_d-2187nt_firmware	—	cpe:2.3:o:intel:xeon_d-2187nt_firmware:-:::::::*
intel	xeon_d-2183it_firmware	—	cpe:2.3:o:intel:xeon_d-2183it_firmware:-:::::::*
intel	xeon_d-2177nt_firmware	—	cpe:2.3:o:intel:xeon_d-2177nt_firmware:-:::::::*
intel	xeon_d-2173it_firmware	—	cpe:2.3:o:intel:xeon_d-2173it_firmware:-:::::::*
intel	xeon_d-2166nt_firmware	—	cpe:2.3:o:intel:xeon_d-2166nt_firmware:-:::::::*
intel	xeon_d-2163it_firmware	—	cpe:2.3:o:intel:xeon_d-2163it_firmware:-:::::::*
intel	xeon_d-2161i_firmware	—	cpe:2.3:o:intel:xeon_d-2161i_firmware:-:::::::*
intel	xeon_d-2146nt_firmware	—	cpe:2.3:o:intel:xeon_d-2146nt_firmware:-:::::::*
intel	xeon_d-2145nt_firmware	—	cpe:2.3:o:intel:xeon_d-2145nt_firmware:-:::::::*
intel	xeon_d-2143it_firmware	—	cpe:2.3:o:intel:xeon_d-2143it_firmware:-:::::::*
intel	xeon_d-2142it_firmware	—	cpe:2.3:o:intel:xeon_d-2142it_firmware:-:::::::*
intel	xeon_d-2141i_firmware	—	cpe:2.3:o:intel:xeon_d-2141i_firmware:-:::::::*
intel	xeon_d-2123it_firmware	—	cpe:2.3:o:intel:xeon_d-2123it_firmware:-:::::::*
intel	xeon_d-1653n_firmware	—	cpe:2.3:o:intel:xeon_d-1653n_firmware:-:::::::*
intel	xeon_d-1649n_firmware	—	cpe:2.3:o:intel:xeon_d-1649n_firmware:-:::::::*
intel	xeon_d-1637_firmware	—	cpe:2.3:o:intel:xeon_d-1637_firmware:-:::::::*
intel	xeon_d-1633n_firmware	—	cpe:2.3:o:intel:xeon_d-1633n_firmware:-:::::::*
intel	xeon_d-1627_firmware	—	cpe:2.3:o:intel:xeon_d-1627_firmware:-:::::::*
intel	xeon_d-1623n_firmware	—	cpe:2.3:o:intel:xeon_d-1623n_firmware:-:::::::*
intel	xeon_d-1622_firmware	—	cpe:2.3:o:intel:xeon_d-1622_firmware:-:::::::*

References for CVE-2019-14607

URL	Tags
https://security.netapp.com/advisory/ntap-20191217-0002/	Third Party Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00317.html	Vendor Advisory
https://www.synology.com/security/advisory/Synology_SA_19_42	Third Party Advisory

URL

CVE-2019-14607

Exploit prediction scoring system (EPSS) score for CVE-2019-14607

Common vulnerability scoring system (CVSS) metrics for CVE-2019-14607

Weakness enumeration for CVE-2019-14607

OS Trackers for CVE-2019-14607

Affected software / configurations for CVE-2019-14607

References for CVE-2019-14607