Recent investigations have uncovered significant vulnerabilities in Supermicro’s Baseboard Management Controller (BMC) firmware, revealing that previous security patches were insufficient. These flaws allow attackers to bypass signature verification mechanisms, granting them persistent control over enterprise server infrastructures.
Background on BMC Firmware Vulnerabilities
BMCs are specialized microcontrollers embedded in servers, responsible for monitoring and managing hardware health, including temperature, voltage, and system logs. Compromising BMC firmware can lead to unauthorized access and control over server hardware, posing significant security risks.
In January 2025, Supermicro released patches to address a vulnerability identified as CVE-2024-10237. This flaw, discovered by NVIDIA’s Offensive Security Research Team, involved fundamental weaknesses in BMC firmware image authentication, potentially allowing attackers with administrative access to upload malicious firmware updates.
Discovery of New Vulnerabilities
Despite the patches, further analysis by Binarly analysts revealed that the fixes were inadequate. They identified a bypass technique for the vendor’s CVE-2024-10237 fix, leading to the assignment of CVE-2025-7937. Additionally, during an extended analysis of various Supermicro products, researchers discovered another vulnerability employing distinct exploitation techniques, assigned CVE-2025-6198.
These vulnerabilities affect multiple generations of Supermicro motherboards and demonstrate how design weaknesses in firmware validation processes can undermine the fundamental security assumptions of server hardware.
Exploitation Mechanisms and Signature Bypass Techniques
The attack vectors leverage design flaws in the three-step firmware validation process used across Supermicro’s BMC implementations.
1. Public Key Retrieval: The system retrieves a public key from the BMC SPI flash chip, which is part of the currently running firmware.
2. Signature Extraction: It extracts cryptographic signature values from uploaded image blobs using RSA-4096 verification.
3. Region Table Analysis: The process analyzes embedded tables representing different firmware regions, calculating SHA-512 hash digests of signed regions before verifying signatures against calculated digests.
These vulnerabilities grant attackers complete persistent control over both BMC systems and main server operating systems, representing a critical escalation pathway that compromises fundamental hardware security assumptions in enterprise environments.
Detailed Exploitation Techniques
For CVE-2025-7937:
Attackers circumvent the supposed fixes by introducing custom firmware map (fwmap) tables before the original ones. These custom tables contain single elements that encompass all signed regions concatenated together.
The exploit leverages the fact that fwmap tables are located in memory by signature rather than fixed positions, allowing manipulation of the validation sequence.
In the X12STW-F firmware version 01.06.17, the original validation process defines six distinct regions with specific offsets and signing requirements.
The bypass technique creates a consolidated entry at offset 0x100000 with size 0x2b32c00 marked as signed boot content, effectively wrapping all legitimate signed regions into a single validated block while inserting malicious content in the bootloader space.
For CVE-2025-6198:
The exploitation technique targets the auth_bmc_sig function within the OP-TEE environment, manipulating the sig_table section located at offset 0x100000.
This alternative validation method processes region information differently, storing offsets in the first four bytes and custom-transformed size values in the remaining bytes.
By modifying kernel regions and updating corresponding sig_table entries, attackers maintain signature validity while executing arbitrary code during BMC boot processes.
The successful exploitation of these techniques results in persistent arbitrary code execution capabilities, with modified kernel images bypassing authentication mechanisms during boot sequences.
Binarly researchers demonstrated successful validation and flashing of modified images through UART debugging interfaces, confirming that customized kernels execute without triggering security mechanisms, effectively compromising the entire BMC security model.
Implications and Recommendations
These vulnerabilities highlight the critical need for robust firmware validation processes and the importance of thorough security assessments. Organizations utilizing Supermicro BMCs should take immediate action to mitigate potential risks.
Recommendations:
1. Firmware Updates: Regularly update BMC firmware to the latest versions provided by Supermicro, ensuring that all security patches are applied promptly.
2. Access Controls: Implement strict access controls to limit administrative access to BMC interfaces, reducing the risk of unauthorized modifications.
3. Network Segmentation: Isolate BMC interfaces from external networks to prevent remote exploitation of vulnerabilities.
4. Monitoring and Logging: Establish comprehensive monitoring and logging mechanisms to detect and respond to unauthorized activities promptly.
5. Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in the system.
By proactively addressing these vulnerabilities and implementing robust security measures, organizations can safeguard their server infrastructures against potential attacks and maintain the integrity of their systems.
