Supermicro servers hit by critical vulnerabilities that allow undetectable malware attacks

Facepalm: Security experts warn that a significant portion of servers and data center products made by Supermicro could be vulnerable to attacks by resourceful cybercriminals working remotely. Worse yet, a successful breach could turn the infection into an invisible threat that no security software would be able to detect.

A critical component soldered onto Supermicro motherboards for server products is affected by two newly discovered vulnerabilities, and a working patch may take some time to become available. Discovered by security analysts at Binarly, the flaws stem from an incomplete patch Supermicro released in January to address another firmware issue in the same component.

Like other servers that require frequent access and management, Supermicro boards include a chip known as a baseboard management controller. BMC chips are specialized microcontrollers that provide server administrators with a practical means to access the system remotely. More importantly, BMCs can become a significant liability if they contain one or more critical security flaws.

The January patch released by Supermicro was intended to fix the CVE-2024-10237 vulnerability. This particular security issue could be exploited to bypass the signature verification process when installing new BMC firmware images. Binarly CEO and founder Alex Matrosov said Supermicro's attempt was incomplete, with his team discovering additional problems while analyzing both the flaw and the company's patch.

The new vulnerabilities are tracked as CVE-2025-7937 and CVE-2025-6198. If successfully exploited, they could allow attackers to replace legitimate firmware images with malware-infected ones. However, an attacker would first need direct control of the BMC, which can be achieved by exploiting additional vulnerabilities discovered by Binarly in 2024.

Once control of the BMC is obtained, Matrosov said, exploiting the newly discovered flaws is "trivial" for capable black hat hackers or state-sponsored actors. Installing a malicious firmware image would give the attacker a persistent presence on the server, as no security software can detect infections running below the OS level.

Baseboard management controllers operate alongside dedicated firmware and RAM components to form a powerful management platform for servers and professional-grade motherboards. The BMC monitors various hardware features, including temperature, fans, power, and operating system status. Administrators can install or replace the operating system remotely, even when the server is powered off.

Supermicro is working on a fix for the two vulnerabilities. The company has already mitigated the flaws in a new BMC firmware image and is now testing it before releasing updates for its server products. However, Matrosov noted that the bugs are likely "hard" to fix and that a proper resolution will take additional time.