Cybersecurity researchers have disclosed two medium-severity vulnerabilities (CVE-2025-7937, CVE-2025-6198) in Supermicro Baseboard Management Controller (BMC) firmware, enabling attackers to bypass cryptographic signature verification during firmware updates. This allows for the installation of malicious firmware, granting complete and persistent control over both the BMC and the main server OS, and critically, bypassing the BMC's Root of Trust. The findings highlight insufficient vendor patching, as one vulnerability circumvents a prior fix, and the broader concern over reused signing keys across Supermicro products presents a significant supply chain security risk for institutional deployments.
Two medium-severity vulnerabilities (CVE-2025-7937 and CVE-2025-6198) have been disclosed in Supermicro (SMCI) Baseboard Management Controller (BMC) firmware, which could allow an attacker to install a malicious image and gain persistent control over the server. Critically, one vulnerability (CVE-2025-6198) bypasses the hardware Root of Trust (RoT), a foundational security feature, contradicting previous assurances from Supermicro's security team. The other flaw (CVE-2025-7937) circumvents a patch for a previous vulnerability (CVE-2024-10237), raising questions about the efficacy of the company's remediation processes. The research further highlights a significant systemic risk stemming from Supermicro's practice of reusing cryptographic signing keys across product lines. This practice, if a key were to be leaked, could have an industry-wide impact, creating a material supply chain security risk for institutional customers heavily reliant on Supermicro hardware.
AI-powered research, real-time alerts, and portfolio analytics for institutional investors.
Request a DemoOverall Sentiment
strongly negative
Sentiment Score
-0.75
Ticker Sentiment
