What’s new: Two medium-severity vulnerabilities have been identified in Supermicro Baseboard Management Controller (BMC) firmware, allowing attackers to bypass firmware verification processes. The vulnerabilities are CVE-2025-7937 (CVSS score: 6.6) and CVE-2025-6198 (CVSS score: 6.4), both stemming from improper verification of cryptographic signatures. Exploitation could enable malicious firmware updates, undermining the Root of Trust (RoT) security feature.
Who’s affected
Organizations using Supermicro BMC firmware are at risk, particularly those with affected hardware models. The vulnerabilities could lead to unauthorized control over BMC systems and the main server operating systems.
What to do
- Review and update Supermicro BMC firmware to the latest version that addresses these vulnerabilities.
- Implement strict access controls and monitoring for firmware updates.
- Consider rotating cryptographic signing keys to mitigate risks associated with key reuse.
