"Supermicro informed customers in January that a researcher from Nvidia had discovered several BMC firmware vulnerabilities, including CVE-2024-10237, an image authentication issue that could allow an attacker to conduct malicious firmware updates. "An attacker can modify the firmware to bypass BMC inspection and bypass the signature verification process," Supermicro explained. A malicious firmware update would enable the attacker to gain complete and persistent control of the BMC and the operating system."
"Binarly analyzed CVE-2024-10237 and discovered that the patch released by Supermicro could be bypassed. As a result, the vendor assigned a new CVE identifier, CVE-2025-7937, and this month made another attempt to patch it. During its investigation, Binarly also found another similar vulnerability, which has been assigned the CVE identifier CVE-2025-6198. The cybersecurity firm warned that CVE-2025-6198 can be exploited not only to deploy a malicious firmware image, but also to bypass the Root of Trust (RoT) security feature,"
Supermicro patched two BMC vulnerabilities that could be exploited to deploy malicious firmware updates. The BMC is a specialized chip on server motherboards that provides out-of-band management even when the OS is down or power is off. A researcher from Nvidia originally identified CVE-2024-10237, an image authentication issue that could allow attackers to bypass signature verification and modify firmware. Binarly analyzed CVE-2024-10237, found the original patch could be bypassed, and prompted assignment of CVE-2025-7937. Binarly also discovered CVE-2025-6198, which can deploy malicious firmware and bypass the Root of Trust. Supermicro issued new patches and reported no evidence of in-the-wild exploitation.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]