A hobbyist dissected AMD’s AutoUpdate utility after it repeatedly opened a console window on his new gaming rig. Decompilation revealed the updater reads an XML manifest over HTTPS but lists download URLs with plain HTTP, making the system vulnerable during routine driver updates. An attacker capable of a man‑in‑the‑middle could swap the executable, and the client would run it without signature checks.

The researcher reported the flaw to AMD’s bug‑bounty platform Intigriti, which dismissed it as out‑of‑scope because exploitation requires a MITM scenario. AMD’s PSIRT later reopened the case, promised a fix, and asked the author to remove his public write‑up. After a 124‑day embargo, AMD issued a CVE and claimed the updater now validates downloads via HTTPS, though verification remains a simple CRC‑32 and other utilities.

The incident highlights how optional tooling can expose millions of PCs to trivial hijacks, yet remediation may be as simple as changing “http” to “https” in a config file. The researcher notes he received no bounty—an amount that could have been around $10k—and urges AMD users to uninstall the outdated updater until the patched version ships across platforms.