CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Endpoint Security

New Supermicro BMC Vulnerabilities Could Expose Many Servers to Remote Attacks

Supermicro has released BMC IPMI firmware updates to address multiple vulnerabilities impacting select motherboard models.

Server and computer hardware giant Supermicro has released updates to address multiple vulnerabilities in Baseboard Management Controllers (BMC) IPMI firmware.

The issues (tracked as CVE-2023-40284 to CVE-2023-40290) could allow remote attackers to gain root access to the BMC system, firmware supply chain security firm Binarly, which identified the bugs, explains.

A special chip on server motherboards that support remote management, the BMC allows administrators to monitor various hardware variables and even update the UEFI system firmware. The BMC chips remain operational even if the system’s power is turned off.

The most severe of these bugs are three cross-site scripting (XSS) vulnerabilities in the BMC server frontend that could be exploited remotely, without authentication, to execute arbitrary JS code.

The flaws are tracked as CVE-2023-40284, CVE-2023-40287, and CVE-2023-40288 and, according to Supermicro’s advisory, have a CVSS score of 8.3.

“An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI,” Supermicro notes.

Binarly, however, considers these issues ‘critical severity’, with a CVSS score of 9.6. The security firm assumes that the attacker knows the BMC web server’s IP address and the administrator’s email address, which it uses to send a phishing email.

CVE-2023-40289, which is described as a command injection bug in the BMC server backend, should also be considered critical severity, with a CVSS score of 9.1, Binarly says.

Advertisement. Scroll to continue reading.

“The vulnerability is critical because it allows authenticated attackers to gain root access and completely compromise the BMC system. This privilege makes it possible to make the attack persistent even while the BMC component is rebooted and to move laterally within the compromised infrastructure, infecting other endpoints,” the security firm notes.

Supermicro, however, rates the issue with a CVSS score of 7.2, noting that it requires for the attacker to be logged into the BMC with administrator privileges.

Binarly also identified two XSS flaws (CVE-2023-40285 and CVE-2023-40286) in the Supermicro BMC IPMI firmware that could lead to the execution of malicious code every time a specific action is triggered. The complexity of the attack is low, with no circumstances preventing successful exploitation, Binarly says.

Both vulnerabilities can be exploited by sending phishing emails and tricking BMC administrators into clicking a link while they are still logged in to the BMC web UI.

CVE-2023-40290, another high-severity XSS flaw, can only be exploited using the Internet Explorer 11 browser on Windows.

According to Supermicro, the vulnerability impacts the BMC IPMI firmware of select B11, CMM, H11, H12, M11, and X11 motherboards.

The company says it is not aware of any malicious exploitation of these vulnerabilities.

Binarly’s research focused on the web server component due to it being the most accessible and most likely attack vector. The company has seen more than 70,000 instances of internet-exposed Supermicro IPMI web interfaces.

Related: New AMI BMC Flaws Allowing Takeover and Physical Damage Could Impact Millions of Devices

Related: Security Flaws in AMI BMC Can Expose Many Data Centers, Clouds to Attacks

Related: BMC Firmware Vulnerabilities Expose OT, IoT Devices to Remote Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.