New Phoenix RowHammer attack cracks open DDR5 memory defenses in minutes

It took researchers less than two minutes to crack open a computer

· TechRadar

News By Sead Fadilpašić published 16 September 2025

(Image credit: Shutterstock)

  • Phoenix RowHammer variant affects DDR5 desktop systems, bypassing all known mitigations on SK Hynix chips
  • Attackers can gain root access and steal RSA keys within minutes using default system settings
  • Researchers recommend tripling refresh rates, as DRAM devices cannot be patched and remain vulnerable long-term

Standard, production-grade desktop systems were, for the first time ever, found vulnerable to a variant of RowHammer, a hardware-based security vulnerability affecting DDR5 chips.

RowHammer affects Dynamic Random-Access Memory (DRAM) chips and allows attackers to manipulate memory contents by repeatedly accessing - “hammering” - a specific row of memory cells.

This causes electrical interference that can flip bits in adjacent rows, without actually accessing those rows, and results in privilege escalation, remote exploits, and different mobile vulnerabilities.

Privilege escalation and root access

The vulnerability was first spotted more than a decade ago, and has been addressed through patches multiple times. However, as RAM chips get better - and memory cells get squeezed closer together - the risk of RowHammer attacks increases.

The latest discovery is called Phoenix, and is tracked as CVE-2025-6202. It was given a severity score of 7.1/10 (high), and successfully bypasses all known mitigations on chips built by South Korean semiconductor manufacturer SK Hynix.

"We have proven that reliably triggering RowHammer bit flips on DDR5 devices from SK Hynix is possible on a larger scale," ETH Zürich said. "We also proved that on-die ECC does not stop RowHammer, and RowHammer end-to-end attacks are still possible with DDR5."

The researchers are claiming they can trigger privilege escalation and gain root access on a DDR5 system with default settings in less than two minutes. Practical use includes stealing RSA-2048 keys of a co-located virtual machine, thus breaking SSH authentication. A separate scenario includes using the sudo binary to escalate local privileges to the root user.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors