HP has released a high-priority security notice for enterprise administrators and IT managers regarding CVE-2025-31648, a firmware vulnerability affecting many Intel-based workstations. This issue is found in the Intel processor microcode and could allow attackers to gain higher access rights in certain situations.
As of March 2026, HP launched the final and urgent remediation phase for business-class workstation fleets, including the Zed by HP and Elite series. This alert stresses the need for prompt action and outlines fleet-wide remediation procedures.
Technical Summary: CVE-2025-31648
The vulnerability results from improper handling of values in processor microcode during critical system operations. It manifests when the system startup code interfaces with System Management Mode (SMM), a privileged hardware-controlled environment.
Intel rates the base severity as low due to the attack’s complexity; nonetheless, the risk is grave for secure environments. Failing to act promptly may leave systems exposed: an attacker with privileged local access and deep knowledge of microcode could bypass normal security limits because this is a firmware-level vulnerability. Standard OS-based endpoint detection and response tools cannot detect it.
Affected HP Workstation Platforms
HP’s Security Advisory confirms that the vulnerability impacts several generations of Intel-based hardware currently deployed in enterprise fleets:
- Z by HP Workstations: Models Spanning the G8, G9, and the Latest G11generations, (including Z2, Z4, Z6, and Z8 Towers).
- Elite book and elite desktop series Conover business class systems utilizing 12th through 14th gen Intel Core processors
- HPE SimpliVity and ProLiant nodes: certain workstation adjacent server nodes used in Edge compute environments
The Resolution: Firmware And Microcode Updates
HPE is fixing CVE-2025-3164A by releasing BIOS and UEFI firmware updates that will include the latest Intel Platform Update (IPU/2026.1) microcode.
Fleet administrators must follow these steps to resolve the issues:
Utilize HP Client Management Script Library (CMSL) or Microsoft Endpoint Configuration Manager to audit BIOS versions across the fleet.
- Acquire SoftPaqs: HP has released specific SoftPaq bundles for each affected model. These are available via the HPE Support Site or HPE Image Assistant Tool.
- Validate the Microcode revision after updating. Verify that the Microcode version meets the requirements outlined in Intel Advisory Intel SA-01399.6.
Strategic Mitigation for Fleets
In addition to applying immediate patches, HPE strongly urges reinforcing workstation security by enabling these hardware-based features without delay.
- Enable HP Sure Start: Ensure the self-healing BIOS feature is enabled to protect against unauthorized firmware changes during updates.
- Strict Local Privilege: Because the attack requires a privileged user, enforce a strict least-privileged model at the operating system level to help prevent such attacks.
- Implement Secure Boot: Check that UEFI Secure Boot is enabled to keep the system secure from start-up through operating system launch.
Conclusion:
Although CVE-2025-31648 is difficult to exploit, it represents a serious breach of hardware trust. Organizations with large workstation fleets must act without delay and update to the February or March 2026 firmware versions. Immediate updates are essential to maintaining long-term system security.
Source: Intel Processor Firmware February 2026 Security Update
