Researchers have identified significant vulnerabilities in the firmware of Supermicro’s baseboard management controllers (BMC), raising concerns about the company’s security practices for low-level software. Supermicro is a key player in the server motherboard market, and BMCs are essential components that monitor system health independently from the operating system, even when the servers are not powered on.
The first vulnerability, designated as CVE-2025-7937, weakens the firmware validation processes intended to secure Supermicro’s BMC firmware, earning a high severity CVSS score of 7.2. If exploited, attackers could deliver malicious firmware updates, thereby seizing control over the server at a critical level below conventional security measures.
This vulnerability was uncovered by Binarly, a firmware security firm, during their assessment of Supermicro’s response to a previously reported issue, CVE-2024-10237, which allowed rogue firmware installations. Binarly noted that the potential consequences of these vulnerabilities include total and sustained control over both the BMC and the main server operating system.
In tandem, Binarly flagged a second high-severity flaw, CVE-2025-6198, which involves the firmware of Supermicro’s X13SEM-F motherboard, also rated with a CVSS score of 7.2. While the requirement for attackers to have established administrative access makes exploitation seem challenging — as neither vulnerability can be exploited remotely — previous incidents have shown that gaining rogue admin access is feasible through indirect attacks.
Both vulnerabilities expose inadequacies in Supermicro’s validation logic. Binarly discovered that past vulnerabilities allowed attackers to bypass the firmware validation checks by manipulating the firmware map, leading them to devise 2025’s vulnerabilities using a similar approach. CVE-2025-6198 is tied to modifications in the firmware’s sig_table, permitting unauthenticated changes while still matching the cryptographic signature.
For mitigation, Binarly advises organizations to implement rigorous source verification and integrity checks for firmware updates. They emphasize the importance of timely patching and enabling Root of Trust (RoT) security where possible. Continuous monitoring and security audits should remain a priority, even when organizations face numerous competing security challenges.
While documented attacks exploiting firmware vulnerabilities are relatively rare, unaddressed vulnerabilities persist in various systems. Past events, such as vulnerabilities in AMI MegaRAC SPx and HPE integrated lights-out servers highlight the ongoing risks present in server management firmware that can be overlooked if timely attention is not given.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.