Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Supermicro BMC firmware verification bypass (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 0
2 unique sources, 2 articles

Summary

Hide ▲

Two Supermicro BMC firmware vulnerabilities, CVE-2025-7937 and CVE-2025-6198, let crafted images bypass Root of Trust and signing-table verification, creating risk of unauthorized firmware updates and persistent control. The flaws stem from improper cryptographic-signature verification in the update path. The findings also indicate that the earlier fix for CVE-2024-10237 was insufficient in this firmware validation flow.

Related Happenings

WireTap memory-bus interposer analysis breaks Intel SGX attestation on DDR4 systems

Technical Analysis
First: 01.10.2025 20:20 Last: 01.10.2025 20:20 Sources 1

About this happening: Researchers demonstrated **WireTap**, a **memory-bus interposer** attack that can extract **Intel SGX attestation keys** on **DDR4 systems**, undermining enclave confidentiality a...

Open Happening

Timeline

  1. 23.09.2025 21:00 3 articles · 8mo ago

    Supermicro BMC firmware verification bypass disclosure

    Initial Disclosure

    Binarly disclosed two Supermicro Baseboard Management Controller (BMC) firmware vulnerabilities, CVE-2025-7937 and CVE-2025-6198, that allow a crafted firmware image to bypass Root of Trust (RoT) 1.0 and Signing Table verification by redirecting validation to fake "fwmap" and "sig_table" data in the unsigned region. The analysis says the earlier fix for CVE-2024-10237 was insufficient, and further investigation into the X13SEM-F motherboard and the "auth_bmc_sig" function indicates a malicious image can be loaded without changing the hash digest, creating risk of unauthorized firmware updates and persistent control of the BMC system and the main server OS.

    Show sources
    Open in new tab