Particle.news
Download on the App Store
4 ARTICLES
·
2h ago

Supermicro Releases Updated BMC Patches After Prior Fix Was Bypassed

Researchers say the flaws let malicious firmware slide past validation, enabling persistent control of enterprise servers.

Image
Image

Overview

  • Binarly identified two Supermicro BMC flaws, CVE-2025-7937 and CVE-2025-6198, that allow crafted images to update firmware and persist on devices.
  • CVE-2025-7937 is a bypass of January’s CVE-2024-10237 fix, and CVE-2025-6198 can evade the BMC Root of Trust to load a malicious image.
  • The weaknesses stem from signature checks that can be redirected to attacker-controlled 'fwmap' or 'sig_table' entries in unsigned regions without changing the signed digest.
  • Supermicro says it has issued updates and has seen no evidence of active exploitation, while Ars Technica reports the company is testing fixes and patched images were not yet visible on its site.
  • Binarly warns successful attacks grant persistent BMC-level and host OS control and has published a demo, urging stronger signing key practices despite medium CVSS scores of 6.6 and 6.4.