Binarly Discovers Two High-Severity Supermicro Server Vulnerabilities
Security research company Binarly has uncovered two high-severity vulnerabilities in Supermicro server motherboards, affecting the Baseboard Management Controller (BMC) and its Root of Trust (RoT) feature. Despite a January patch, these flaws allow attackers to install malware-laden firmware and gain persistent access to systems.
The vulnerabilities, identified as CVE-2025-7937 and CVE-2025-6198, enable attackers to bypass security checks and install malicious firmware images, similar to the ILObleed incident. Standard protection methods are ineffective, making removal nearly impossible. Worryingly, if servers used for hosting official updates are compromised, malicious firmware images could be distributed as genuine updates. Binarly discovered these flaws after the January patch, which was found to be incomplete in fixing a previous issue (CVE-2024-10237). These vulnerabilities provide 'unprecedented persistence' on significant parks of Supermicro devices, including AI data center infrastructure. Attackers can replace legitimate BMC firmware images with malicious ones, bypassing detection systems. To exploit these vulnerabilities, an attacker would need to gain control over the BMC interface, which could happen with administrative access.
The discovery of these vulnerabilities highlights the critical importance of robust firmware security. Supermicro users are advised to stay vigilant and follow security best practices to mitigate potential risks. Further information on the vulnerabilities and remediation steps can be found on the Binarly website.
Read also:
- Frankfurt's Europagarden to Undergo Major Climate-Resilient Renovation
- Taxpayers' Association Slams 'Wasteful' Construction Projects in Annual 'Black Book'
- Dresden's Bike Barometers Criticized, Radeburg's Bridge to Nowhere Stands Unused
- Questions for Fabio Pammoli, Economics and Management Professor at the Polytechnic University of Milan, concerning Facebook's Data for Good Initiative
