Two New Supermicro BMC Bugs Allow Malicious Firmware to Evade Root of Trust Security

nsamag September 23, 2025

What’s new: Two vulnerabilities have been identified in Supermicro Baseboard Management Controller (BMC) firmware, allowing attackers to bypass firmware verification processes. The vulnerabilities, CVE-2025-7937 (CVSS 6.6) and CVE-2025-6198 (CVSS 6.4), enable malicious firmware images to be uploaded by redirecting verification logic to fake tables in unsigned regions.

Who’s affected

Organizations using Supermicro BMC firmware, particularly those with X13SEM-F motherboards, are at risk. The vulnerabilities could allow attackers to gain control over the BMC system and the main server OS.

What to do

  • Review and update Supermicro BMC firmware to the latest version to mitigate these vulnerabilities.
  • Implement strict access controls and monitoring on BMC systems to detect unauthorized firmware updates.
  • Consider rotating cryptographic signing keys to enhance security against potential key leakage.

Sources

