Two New Supermicro BMC Bugs Allow Malicious Firmware to Evade Root of Trust Security

What’s new: Two medium-severity vulnerabilities have been identified in Supermicro Baseboard Management Controller (BMC) firmware, allowing attackers to bypass firmware verification and potentially install malicious firmware. The vulnerabilities are CVE-2025-7937 (CVSS score: 6.6) and CVE-2025-6198 (CVSS score: 6.4), both stemming from improper verification of cryptographic signatures.

Who’s affected

Organizations using Supermicro BMC firmware are at risk, particularly those with the X13SEM-F motherboard. Exploitation of these vulnerabilities could lead to unauthorized control over the BMC system and the main server OS.

What to do

• Review and update Supermicro BMC firmware to the latest version to mitigate these vulnerabilities.
• Implement strict access controls and monitoring on BMC systems to detect unauthorized firmware updates.
• Consider rotating cryptographic signing keys to enhance security against potential key leakage.

Sources

• The Hacker News