CVE-2019-12532

Name: CVE-2019-12532
Creator: NVD / NIST
Published: 2019-08-26T18:15:11.797+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.8/10EPSS 0.40%

Last modified Jun 17, 2026

CVE-2019-12532 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a firmware issue. EPSS estimates a 0.40% chance of exploitation in the next 30 days.

Description

Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a firmware issue. Affected tools include: H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23 and 200.00.00.01~200.00.00.05, H2OOAE before version 200.00.00.02, H2OSDE before version 200.00.00.07, H2OUVE before version 200.00.02.02, H2OPCM before version 100.00.06.00, H2OELV before version 100.00.02.08.

Metrics

CVSS 3.1

7.8/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.40%

32.0th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
Insyde	H2oelv	< 100.00.02.08
Insyde	H2offt	>= 3.02, <= 5.28
Insyde	H2offt	>= 100.00.00.00, <= 100.00.08.23
Insyde	H2offt	>= 200.00.00.01, <= 200.00.00.05
Insyde	H2ooae	< 200.00.00.02
Insyde	H2opcm	< 100.00.06.00
Insyde	H2osde	< 200.00.00.07
Insyde	H2ouve	< 200.00.02.02

References

https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/Third Party Advisory
https://security.netapp.com/advisory/ntap-20220223-0004/Third Party Advisory
https://www.insyde.com/security-pledge/SA-2019001Vendor Advisory
https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/Third Party Advisory
https://security.netapp.com/advisory/ntap-20220223-0004/Third Party Advisory
https://www.insyde.com/security-pledge/SA-2019001Vendor Advisory

Timeline

Published: Aug 26, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-12532?

How severe is CVE-2019-12532?

CVE-2019-12532 has a CVSS score of 7.8/10 (HIGH severity). The EPSS model estimates a 0.40% probability of exploitation in the next 30 days.

How do I fix CVE-2019-12532?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-12532?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST