June 23, 2026
Intel EMA Privilege Escalation
A Quick Review for SOC Analysts | June 2026
By Fayaz Ismail
2 min read
Overview
Intel EMA (Endpoint Management Assistant) is software used by IT teams to remotely manage company computers think remote power control, screen takeover, and OS reinstalls, all without touching the device. It works even when the computer is off or the OS has crashed, because it runs at the hardware level through Intel AMT (Active Management Technology).
CVE-2025–35990 is a privilege escalation vulnerability in Intel EMA versions before v1.14.5. An attacker on the same network with no username, no password, and no special skills can send malformed input to the EMA software and trick it into granting higher access than it should.
Why It Matters
EMA is not just another app. It gives whoever controls it the same power as physically sitting in front of every managed computer in the organization. Here is what an attacker can do once they exploit this vulnerability:
• Power on or shut down any managed endpoint remotely
• Take over the screen with full keyboard and mouse control (KVM)
• Push a new operating system image wiping and replacing the device silently
• Access all of this even if the computer is off or the OS has crashed
• Bypass antivirus and EDR tools entirely, since AMT runs below the OS
Real-world risk: An attacker who gets into the same network through phishing, a rogue device, or a compromised contractor laptop can exploit this to take over your entire device fleet. No credentials. No alerts. No OS-level traces.
How to Survive Mitigation Steps
Patch First Everything Else Is Temporary
Download and install Intel EMA v1.14.5 or later from the official Intel download page:
If You Cannot Patch Right Now:
✓ Block ports 8080, 8443, 16992, and 16993 from all non-admin devices using firewall rules or ACLs
✓ Only allow IT admin workstations to reach the EMA server
✓ Move the EMA server to an isolated management VLAN if it is not already there
✓ Consider taking EMA offline temporarily if none of the above is possible
After Patching Harden Your Setup:
✓ Enable MFA (multi-factor authentication) on the EMA admin console
✓ Rotate all EMA admin passwords and AMT provisioning credentials
✓ Review and remove stale or unused EMA user accounts
✓ Subscribe to Intel PSIRT alerts so future advisories reach you early
The Bottom Line for SOC Analysts
If your organization uses Intel vPro devices and has EMA deployed, treat this as a Priority 1 patch. Do not wait for your next maintenance window.
Three things to do today:
• Find out if EMA is in your environment and what version it is running
• Check what network segments can reach the EMA server
• Apply the patch to v1.14.5 or isolate the server until you can
What makes this tricky for SOC teams:
• AMT activity happens below the OS, your EDR will not see it
• Post-exploitation leaves no standard Windows event logs from the attacker side
• One compromised EMA server = access to every managed endpoint in the fleet
Detection tip: Watch for unexpected connections to EMA ports (8080, 8443, 16992, 16993) from IPs that are not on your approved admin list. Any anonymous or unauthenticated attempt is a red flag.
This vulnerability was discovered by Max Keasley and responsibly disclosed to Intel through their bug bounty program. Intel released the fix in EMA v1.14.5 before public disclosure. Intel Advisory: INTEL-SA-01434.
Source: Intel PSIRT Advisory INTEL-SA-01434 | CVE Record: cve.org/CVERecord?id=CVE-2025–35990 | June 2026