Supermicro server motherboards have some big security issues that could let hackers take control remotely. These vulnerabilities are especially worrying because they can allow malicious firmware to be installed before the operating system even starts. That means infections are nearly impossible to detect or remove without special protections.

Earlier this year, Supermicro released a patch to fix one of these issues, but it turned out to be incomplete. Security firm Binarly found that the patch didn’t fully close the door on a high-severity vulnerability. This flaw, known as CVE-2024-10237, could let attackers reflash firmware during boot, creating a persistent backdoor. Now, Binarly has uncovered a second critical vulnerability that could be exploited in a similar way.

What’s the risk with these firmware flaws?

These vulnerabilities could be exploited to install what’s called firmware implants—malicious code that lives deep inside the hardware. One notorious example from 2021 is ILObleed, which infected HP servers with firmware that permanently wiped data, even after drives were replaced or systems reinstalled. The malware stayed hidden and kept reactivating, making it extremely hard to fully clean.

Binarly says these new flaws give attackers “unprecedented persistence” on Supermicro servers. That means a hacker could maintain control over affected systems for a long time, even with typical security measures. The vulnerabilities, identified as CVE-2025-7937 and CVE-2025-6198, are embedded in the silicon of the motherboards’ chips. These chips are critical because they host the baseboard management controller (BMC), a component that allows remote management of servers.

How do these BMC vulnerabilities work?

BMCs are powerful tools. They let administrators install updates, monitor temperature, control fans, and even reflash the server’s firmware—all remotely and often even if the server is turned off. Because of their importance, BMCs include safeguards like verifying firmware signatures to prevent malicious code from being installed.

However, the vulnerabilities discovered by Binarly allow hackers to bypass these protections. If an attacker gains control of the BMC, they can upload malicious firmware images without triggering security checks. This could happen through exploiting other vulnerabilities or via supply chain attacks, where compromised firmware updates are pushed out unknowingly.

The trouble stems from bugs in how the firmware validation process works. The original patch from Supermicro, released in January, was meant to fix a flaw related to the validation of firmware images. But Binarly found that the fix was incomplete. It still left a way for attackers to exploit the system by adding malicious entries to the firmware’s memory tables, which store critical validation data.

Supermicro’s response and what’s next

Supermicro has announced that it has updated its BMC firmware to address these vulnerabilities. They are currently testing the new versions and recommend customers check their release notes for updates. But, as of now, the patched firmware isn’t widely available online, and security experts remain cautious.

Binarly’s lead researcher, Alex Matrosov, pointed out that fixing these issues is complex. The bugs are deeply rooted in the hardware design, making them hard to patch quickly. He warned that more time might be needed before fully secured firmware is rolled out.

These vulnerabilities highlight how hardware-level security flaws can be especially dangerous. They can give attackers long-term access and control over critical infrastructure, especially in data centers and AI facilities that rely on Supermicro servers. It’s a reminder that even after patches, hardware security needs ongoing attention to keep systems safe.

In the meantime, organizations using affected servers should stay alert for firmware updates, and consider additional security measures to monitor for unusual activity. Firmware security is a complicated game, but staying vigilant can help reduce the risk of a serious breach.

Inspired by

• https://arstechnica.com/security/2025/09/supermicro-server-motherboards-can-be-infected-with-unremovable-malware/

Sources

• conde.digital
• cnevids.com
• archive.org
• amnpardaz.com
• binarly.io