Security researchers warn that Supermicro server motherboards harbor two high-severity baseboard management controller (BMC) vulnerabilities that could allow attackers to remotely install malicious firmware that persists across reboots and even device power cycles. The flaws were uncovered by Binarly, the security firm led by Alex Matrosov, and are said to affect a broad range of Supermicro devices used in data centers.
One of the bugs arose from an incomplete patch linked to CVE-2024-10237, a high-severity flaw that enables firmware reflashing during the boot process. Binarly investigators also flagged a second critical vulnerability (tracked as CVE-2025-7937 and CVE-2025-6198) that enables the same class of boot-time persistence, potentially allowing an attacker to install persistent firmware across affected machines.
Unprecedented persistence The researchers warned that, like the infamous ILObleed incident that struck HP servers in 2021, these Supermicro flaws could enable malicious firmware to endure standard disinfection steps. Even replacing drives or reinstalling the OS would not remove the implanted code if the BMC-level infection remains active.
The flaws reside in silicon directly soldered onto Supermicro motherboards, and the BMCs provide powerful remote capabilities, including reflashing UEFI firmware, monitoring hardware, and controlling power states. The report notes that the BMC can operate and perform such tasks even when the host server is powered down, amplifying the risk of a long-lasting compromise across large fleets.
Supermicro has acknowledged the findings and says it has updated the BMC firmware to mitigate the vulnerabilities, though Binarly says it has not yet verified that patched firmware has been widely deployed or fully closes the exposed attack surface. Researchers urge administrators to stay current with firmware advisories, secure BMC management networks, and closely monitor vendor communications for patches and guidance on affected product families.
