Supermicro Patch Failed, Leaving Servers Open to Firmware-Level Attacks

Security researchers have identified critical vulnerabilities in Supermicro motherboards, allowing hackers to embed malware that remains active even after system restarts, as well as system cleaning.

The baseboard management controllers (BMCs) located on server motherboards contain these security flaws since their tiny chips let admins manage machines remotely, even when powered off.

This issue, first reported by ArsTecnica, surrounds Supermicro, a U.S. company that makes servers, motherboards, and storage systems powering data centers, cloud computing, and AI. Its hardware supports large-scale computing for businesses, researchers, and tech companies worldwide.

ArsTechnica notes that the security firm Binarly discovered two new vulnerabilities in Supermicro’s January CVE-2024-10237 patch, which left an incomplete fix. The company discovered an additional security flaw which connects to the previously identified issue.

The two new defects exist as CVE-2025-7937 and CVE-2025-6198, and affect the firmware storage, which is permanently attached to the motherboard.

The researchers compared the severity of these vulnerabilities to the 2021 ILObleed attack, which enabled attackers to modify server firmware, while also making it resistant to hard-drive wipes, and operating-system reinstalls. The researchers identify this threat as having “Unprecedented persistence,” as reported by ArsTechnica.

As Alex Matrosov, founder and CEO of Binarly, put it: “Both issues provide unprecedented persistence power across significant Supermicro device fleets including [in] AI data centers,” reports ArsTechnica.

He added: “After they patched [the earlier vulnerability], we looked at the rest of the attack surface and found even worse security problems.”

The main security threat emerges from BMC signature verification mechanisms which attackers can disable to replace firmware images without detection. Binarly provides detailed information about the attack vector which shows that an attacker needs BMC administrative access to execute persistent firmware reflashing.

“If a potential attacker already has administrative access to the BMC control interface (it is possible by exploitation of other vulnerabilities, which we described in blogs 1, 2), then the exploitation is trivial—we just need to perform an update with a malicious image. In this case, an attacker benefits from exploitation of CVE-2025-7937/CVE-2025-6198 because the compromise becomes persistent,” Binarly said, as reported by ArsTechnica.

Binarly described how attackers can alter the fwmap table so signed regions are replaced. “This single element will contain all the signed regions of the image, one after the other,” the company wrote. Supermicro says it has released BMC updates to mitigate the flaws and is testing affected products. “We can’t find the patched firmware updates on their website,” Matrasov said, as reported by ArsTechnica.

“The bug is hard to fix. I assume it will take more time from them,” Matrasov concluded.