Preface: What is the difference between FreeRTOS and Cmsis-RTOS?

Basically FreeRTOS is a RTOS, while CMSIS-RTOS is only a wrapper for any RTOS (like FreeRTOS, CMSIS-RTOS RTX or anything you want). CMSIS-RTOS is an API that enables consistent software layers with middleware and library components. Mbed TLS aims to provide a set of powerful and flexible cryptographic and security building blocks, mainly for embedded systems, focusing on ease of integration and security. The design objective strives to be lean,  prioritizing readability, documentation and testability, while minimizing dependencies and providing a loosely coupled architecture. This allows developers to integrate only the necessary components without the overhead of the entire library.

Background: Do multi-threaded programs use the same AES key?

Yes, multithreaded programs using AES encryption typically use the same AES key for both encryption and decryption, as AES is a symmetric encryption algorithm. Both the sender and receiver need to share the same secret key to encrypt and decrypt data. In a multithreaded context, each thread would utilize this shared key when performing encryption or decryption operations.

Vulnerability details: Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-52496

Preface: The default configuration of the ABB RMC-100’s REST interface is disabled. ABB recommends leaving the REST interface disabled when not in use, particularly when configuring MQTT functionality. The RMC-100 is not intended for access over public networks.

Background: The ABB RMC-100 is a popular and widely used remote modular controller, particularly within the oil and gas industry. It is known for its scalability and ability to manage automation, liquids and gas measurement, and asset data concentration for various facility sizes, from large production and transmission facilities to smaller systems. The RMC-100 is part of ABB’s Totalflow portfolio, which has seen over 430,000 units sold since the 1980s.

Service available in some Totalflow devices like the RMC-100. When enabled, the device REST server capabilities are enabled. The device then can be accessed by a REST client such as a web browser. The access is for the configuration of the MQTT parameters.

Uses HTTP methods (protocol) to access resources on a REST server. For example, the web browser which accesses the MQTT configuration interface on the RMC-100.

Vulnerability details: Stack-based Buffer Overflow vulnerability in ABB RMC-100, ABB RMC-100 LITE. When the REST interface is enabled by the user, and an attacker gains access to the control network, and user/password broker authentication is enabled, and CVE-2025-6074 is exploited, the attacker can overflow the buffer for username or password.

Affected Products: This issue affects RMC-100: from 2105457-043 through 2105457-045; RMC-100 LITE: from 2106229-015 through 2106229-016.

Official announcement: Please see the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-6073

Preface: Users typically build custom PMU firmware tailored to their specific hardware platform and application requirements.

PMU firmware can be loaded by either FSBL or CSU BootROM (CBR). Both these flows are supported by AMD. Loading PMU firmware using FSBL has the following benefits:

– Possible quick boot time, when PMU firmware is loaded after bitstream.

– In use cases where you want two BIN files – stable and upgradable, PMU firmware can be part of the upgradable (by FSBL) image.

Background: The primary design objective of AMD’s Zynq™ UltraScale+™ devices is to provide a highly integrated platform that combines the processing power of a multi-core ARM processor with the flexibility of programmable logic (FPGA fabric). This enables a wide range of applications by offering both real-time control and processing capabilities within a single chip. The devices also prioritize low power consumption, security features, and efficient memory management.

Ref: Arm Trusted Firmware (ATF) and its role in managing the Secure Monitor and Trusted Board Boot Requirements (TBBR). These are essential for establishing a secure boot process and managing transitions between the secure and non-secure worlds in Arm-based systems like the Zynq UltraScale+.

Vulnerability details: In AMD Zynq UltraScale+ devices, the lack of address validation when executing CSU runtime services through the PMU Firmware can allow access to isolated or protected memory spaces resulting in the loss of integrity and confidentiality.

Official announcement: Please see the link for details –

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-8008.html

https://docs.amd.com/r/en-US/000037628/Affected-Products