Researchers have identified critical vulnerabilities in the firmware of Supermicro’s baseboard management controller (BMC), which could expose servers to significant risks. Supermicro, a prominent manufacturer of server motherboards widely used in data centers, utilizes BMCs to monitor system health independently of the operating system, even when servers are powered down. If attackers manipulate this firmware, they could gain unauthorized control over the server at a fundamental level.
The security firm Binarly reported two major vulnerabilities in the Supermicro BMC firmware. The first, identified as CVE-2025-7937, relates to weaknesses in the firmware validation logic. This high-severity vulnerability (CVSS score of 7.2) allows attackers to install malicious firmware if exploited. Binarly made this discovery while testing a prior patch for another vulnerability, CVE-2024-10237, uncovered by the Nvidia Offensive Security Research Team, which similarly allowed for the installation of rogue firmware.
The second vulnerability, CVE-2025-6198, pertains to firmware of the Supermicro X13SEM-F motherboard, and it also carries a CVSS score of 7.2. Although both vulnerabilities require that attackers have administrative access to the systems, which suggests a lower likelihood of exploitation, real-world attacks have demonstrated that such access can often be gained indirectly.
The vulnerabilities arise from flaws in the validation checks that are meant to prevent legitimate firmware from being replaced with malicious code. Binarly found that while Supermicro had modified these checks to prevent previous attacks, the authentication could still be compromised through the new vulnerabilities.
To mitigate these risks, Binarly recommends that organizations improve their firmware verification and integrity checks, promptly apply patches for known vulnerabilities, and enable Root of Trust (RoT) security where hardware allows. Continuous monitoring and routine security audits are also necessary to combat firmware manipulation effectively.
Despite the rarity of documented attacks targeting firmware at this level, the existence of these vulnerabilities underscores an essential need for vigilance in security practices.
