Security researchers have identified new vulnerabilities in Supermicro’s Baseboard Management Controller (BMC) firmware that allow attackers to install malicious firmware images, creating persistent backdoors on affected servers. These flaws, which follow incomplete patches for similar issues disclosed earlier in 2025, enable attackers to bypass cryptographic signature verification and compromise the server’s Root of Trust (RoT). The persistence of these vulnerabilities highlights a systemic security challenge affecting a critical component present in data centers and enterprise infrastructure worldwide.
The newly discovered vulnerabilities, CVE-2025-7937 and CVE-2025-6198, represent bypasses of fixes that Supermicro implemented in January 2025 for a critical design flaw (CVE-2024-10237). According to research from Binarly, the initial patch attempted to address a vulnerability in the firmware validation process but contained logical errors that attackers could exploit using similar techniques. These vulnerabilities affect a wide range of Supermicro motherboards, including X12 and X13 series models used in enterprise servers and AI infrastructure.
Historical Context of BMC Security Issues
The security challenges with BMC implementations are not new and have been documented by researchers since at least 2013. The Intelligent Platform Management Interface (IPMI) protocol, which BMCs implement, has contained fundamental design flaws that enable authentication bypass and password hash extraction. Research from CERT-IST in 2013 highlighted issues such as the “Cipher 0” authentication bypass, where requesting this cipher would allow command execution without a password if the attacker knew a valid username. Similarly, the RAKP mechanism allowed unauthenticated clients to retrieve password hashes for offline cracking, a specification-level issue that required network segmentation as the primary mitigation.
Early attack scenarios described by researchers including HD Moore, founder of Metasploit, outlined how compromised BMCs could host spyware to collect passwords from management sessions or deploy persistent rootkits invisible to IPMI logs. The virtual KVM and virtual media features of BMCs could be weaponized to take control of the host operating system. Perhaps most relevant to the current vulnerabilities, research from the University of Michigan in 2013 demonstrated how software on the host could reflash the BMC firmware via the KCS interface without authentication on Supermicro servers specifically. This historical context establishes that the current vulnerabilities are the latest manifestation of long-standing design problems rather than isolated incidents.
Technical Breakdown of the Firmware Validation Flaws
The core vulnerability, CVE-2024-10237, identified by NVIDIA’s Offensive Security Team and patched by Supermicro in January 2025, involved a logical flaw in the firmware image authentication process. The validation mechanism relied on a `fwmap` table within the image itself to define which regions should be considered “signed” for hash digest calculation. This design allowed attackers to inject a malicious `fwmap` table before the legitimate one, redefining signed regions to include unused space while moving original content. Because the cryptographic signature of the rearranged data remained valid, the system would accept a maliciously modified image as genuine.
Supermicro’s initial patch introduced two validation functions: `fwmap_offset_check`, which restricted `fwmap` entries to a whitelist of hardcoded offsets, and `fwmap_attr_check`, which enforced which regions must be marked as signed. However, researchers from Binarly discovered that this fix was incomplete. The code continued to search memory for the `fwmap` signature, and the whitelist included essential regions like `bootloader`. This oversight enabled the first bypass, designated CVE-2025-7937.
The exploitation technique for CVE-2025-7937 involved creating a new `fwmap` table at an allowed offset (`0xe0000`) containing a single, large entry that encompassed all the original signed regions. By placing malicious code within the space defined for the `bootloader` and relocating the original data, the image passed the new checks because the calculated digest of the large, contiguous “bootloader” region still matched the signed value. Successful exploitation results in persistent arbitrary code execution during the BMC boot process, with proof-of-concept images available on Binarly’s GitHub repository.
Root of Trust Bypass on Modern Hardware
While analyzing a different motherboard (X13SEM-F), which Supermicro markets as having a BMC Root of Trust feature, Binarly discovered a similar but distinct validation flaw designated CVE-2025-6198. This BMC implementation used a `sig_table` instead of `fwmap`, parsed within the OP-TEE secure environment. The `sig_table` defined six firmware regions by offset and size, but like the `fwmap`, this table was part of the uploaded image and used for digest calculation, making it similarly manipulable.
Attackers exploiting CVE-2025-6198 can split a signed region (such as the `kernel`) into multiple parts within the `sig_table`. For example, researchers demonstrated splitting the kernel into three entries: the data before a modified section, the original data of the modified section moved to an unused area, and the data after the modification. This technique preserves the overall digest, allowing a malicious kernel to be flashed despite cryptographic protections. Most significantly, the researchers confirmed that the RoT feature on the X13SEM-F only authenticates the bootloader at startup, not the subsequent kernel, meaning CVE-2025-6198 effectively bypasses the BMC Root of Trust entirely.
Attack Scenarios and Infrastructure Impact
The impact of these vulnerabilities extends beyond individual server compromise to affect entire infrastructure ecosystems. A compromised BMC provides attackers with a persistent foothold that operates beneath the host operating system, surviving OS reinstallation and hard drive replacement. This persistence mechanism aligns with threat scenarios outlined by researchers over a decade ago but now operates with greater sophistication through cryptographic bypass techniques.
These vulnerabilities represent a critical software supply chain risk, as malicious actors could Trojanize legitimate firmware updates that would then be distributed from official sources. The existence of unauthenticated remote code execution flaws like CVE-2024-36435, patched by Supermicro in July 2024, means attackers may not need administrative credentials to initiate the attack chain leading to full BMC compromise. This combination of vulnerabilities enables the realization of the “attack from the host” scenario described in 2013 research, where compromised host software can reflash the BMC firmware without authentication.
Mitigation Strategies and Security Recommendations
Defending against these firmware-level threats requires a multi-layered approach that incorporates both immediate technical controls and long-term security practices. The most critical immediate action is applying the latest BMC firmware updates from Supermicro’s official website, specifically the September 2025 advisory that addresses CVE-2025-7937 and CVE-2025-6198. Organizations should ensure that patches for earlier vulnerabilities, particularly the unauthenticated RCE CVE-2024-36435, are also applied.
Network segmentation remains essential, as recommended since the earliest BMC security research in 2013. BMC management interfaces should be placed on dedicated, firewalled network segments with no direct internet exposure. This controls exposure to protocol-level flaws like RAKP hash extraction. Access control hardening should include changing default passwords, disabling unnecessary services such as UPnP, enforcing strong authentication, and restricting administrative access to BMC interfaces.
On supported hardware, organizations should enable hardware-backed Root of Trust features and ensure they are configured to validate the entire boot chain, not just the initial bootloader. Source verification practices should include downloading firmware exclusively from official vendor sources and verifying file cryptographic hashes before installation. Security teams should implement monitoring solutions capable of firmware integrity checking and maintain comprehensive inventories of all BMC-enabled hosts with active traffic monitoring on management networks.
The recurrence of these vulnerabilities in Supermicro BMC firmware, including incomplete patches that required subsequent fixes, indicates a systemic challenge in secure development practices for critical firmware components. While the technical sophistication of attacks has evolved from simple protocol abuses to complex logic flaws that bypass cryptographic protections, the fundamental risks associated with BMCs have been understood for over a decade. Addressing these risks requires consistent application of established security practices alongside more rigorous testing and validation of firmware update mechanisms.
References
- CERT-IST, “Security threats in Intelligent Platform Management Interface (IPMI),” September 2013.
- Rapid7 Research, “Security Flaws in Universal Plug and Play: Unplug, Don’t Play,” January 2013.
- University of Michigan Research, “A Study of Practical Attacks on the IPMI Protocol,” 2013.
- Cloudian Blog, “Supermicro BMC IPMI Firmware Vulnerabilities,” 2023.
- Supermicro Security Advisory, “Vulnerabilities in Supermicro BMC Firmware,” January 2025.
- Binarly.io, “Ghost in the Controller: Abusing Supermicro BMC Firmware Verification,” July 2, 2025.
- Binarly.io, “Broken Trust: Fixed Supermicro BMC Bug Gains a New Life in Two New Vulnerabilities,” September 23, 2025.
- Supermicro Security Advisory, “Vulnerabilities in Supermicro BMC Firmware, April 2024.”
- Supermicro Security Advisory, “Vulnerability in Supermicro BMC IPMI firmware, July 2024.”
- Vertiv Blog (HD Moore), “Close the front door: Identify BMC vulnerabilities in your infrastructure and mitigate the risks,” July 2016.
