Supermicro BMC firmware update validation bypass
BINARLY team has discovered a vulnerability in the Supermicro BMC firmware authentication design, allowing a potential attacker to update the system firmware with a specially crafted image. This vulnerability is the result of an incomplete fix for CVE-2024-10237.
Image preview
Potential Impact
An attacker could trick the BMC administrator to update the BMC system with a custom image containing malicious content. This would result in the complete compromise of the BMC system, also providing access to the main host OS. It would also allow the attacker to make the attack persistent during a BMC component reboot and perform lateral movement within the compromised infrastructure, infecting other endpoints.
Image preview
Vulnerability Information
- BINARLY internal vulnerability identifier: BRLY-2025-020
- Supermicro PSIRT assigned CVE identifier: CVE-2025-7937
- CVSS v3.1: 7.2 High AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Image preview
Affected Supermicro firmware
| Device | Version | SHA256 |
|---|---|---|
X12STW-F | 01.06.17 (latest) | b84c90e644927fd18685841d6e8996a15869c42334f4166dc6117c5a738c1926 |
Image preview
Vulnerability description
The firmware image for the X12STW-F motherboard version 01.06.17 has the following regions defined in the fwmap:
- offset:
0x0000000, size:0x00a6280, signed:true-bootloader - offset:
0x0100000, size:0x0001000, signed:true-sig_table - offset:
0x0110000, size:0x0010000, signed:true-pdb_seca - offset:
0x0130000, size:0x031f900, signed:true-kernel - offset:
0x0530000, size:0x275c080, signed:true-rootFS - offset:
0x2dc0000, size:0x0010000, signed:false-pdb_isec
The fix for CVE-2024-10237 introduced two additional checks in the fwmap_parser function: fwmap_offset_check and fwmap_attr_check. These checks ensure that fwmap entries can't be located at a custom offset and fix the attributes they may have. However, since the fwmap region is searched in the memory by the fwmap signature, it is possible to place the custom fwmap table before the original one, for example, at offset 0x40000, which is not used by any other region. This modified fwmap will then be used during image validation.
For example, it is possible to write all the signed regions one after another at offset 0x100000, and introduce a custom fwmap with this content:
- offset:
0x100000, size:0x2b32c00, signed:true-bootloader
Now, data before 0x100000 can be modified in an arbitrary way, allowing to control content of the BMC bootloader. At the same time, validation of such an image will still succeed.
Image preview
Disclosure timeline
This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.
| Disclosure Activity | Date (YYYY-mm-dd) |
|---|---|
Supermicro PSIRT is notified | 2025-05-29 |
Supermicro PSIRT confirmed reported issue | 2025-07-21 |
Supermicro PSIRT assigned CVE number | 2025-07-21 |
Supermicro PSIRT public disclosure date | 2025-09-17 |
BINARLY public disclosure date | 2025-09-18 |
Image preview
Acknowledgements
Image preview
See if you are impacted now with our Firmware Vulnerability Scanner
Find Vulnerabilities, Generate SBOMs & CBOMs