Two New Supermicro BMC Vulnerabilities Enable Malicious Firmware to Bypass Root of Trust

Cybersecurity experts have revealed details of two newly discovered vulnerabilities affecting Supermicro Baseboard Management Controller (BMC) firmware, which could allow attackers to bypass critical security checks and install malicious firmware images.

Both flaws, rated as medium severity, stem from improper validation of cryptographic signatures:

  • CVE-2025-7937 (CVSS 6.6): Enables attackers to bypass BMC firmware Root of Trust (RoT) 1.0 by redirecting the verification process to a fake “fwmap” table within the unsigned region of the image.
  • CVE-2025-6198 (CVSS 6.4): Allows bypass of BMC firmware’s Signing Table validation by pointing to a fraudulent “sig_table” within the unsigned region.

How the Exploit Works

Firmware updates in Supermicro BMCs involve three main validation steps:

  1. Retrieving the public key from the SPI flash chip.
  2. Processing either the “fwmap” or “sig_table” table within the uploaded image.
  3. Calculating a cryptographic digest of all signed regions and verifying it against the signature.

According to Binarly, the security firm that discovered the flaws, CVE-2025-7937 effectively bypasses CVE-2024-10237, a vulnerability first disclosed by NVIDIA and Supermicro earlier in 2025. The original flaw allowed malicious images to be flashed onto the BMC SPI chip, granting attackers persistent control over both the BMC and the host operating system.

Further investigation revealed that even with Supermicro’s patch, attackers could still inject custom entries into the “fwmap” table before the original data, manipulating the validation process to execute arbitrary code.

Expanding the Attack Surface

The second vulnerability, CVE-2025-6198, introduces another attack vector. Researchers found that the “auth_bmc_sig” function could be tricked into accepting a malicious image without altering the calculated digest. By modifying the “sig_table” and relocating original data to unused firmware space, attackers could preserve hash integrity while introducing malicious code.

This means that not only can attackers update the firmware with a custom image, but they can also bypass the Root of Trust mechanism, undermining one of the most critical layers of BMC security.

Broader Implications

Binarly’s CEO, Alex Matrosov, highlighted the dangers of key reuse across product lines. He emphasized that any compromise of signing keys could have ecosystem-wide consequences, citing previous incidents like Intel’s Boot Guard key leak. The research demonstrates that relying solely on hardware-based Root of Trust is insufficient if signing keys are mismanaged or reused.

Why This Matters

BMCs are a critical component in modern servers, enabling remote management even when the host system is offline. Compromise at this level grants attackers persistent, low-level access—a nightmare scenario for enterprises and data centers.

These findings underscore the importance of:

  • Enforcing key rotation policies for firmware signing.
  • Strengthening validation processes beyond software-based checks.
  • Conducting ongoing firmware security audits to detect hidden attack paths.

Conclusion

The discovery of CVE-2025-7937 and CVE-2025-6198 reveals once again that firmware remains a high-value target for attackers. With the ability to evade Root of Trust protections, these vulnerabilities demonstrate how fragile supply-chain security can be when cryptographic practices are insufficient.

Enterprises relying on Supermicro hardware should prioritize patching and adopt a proactive approach to firmware governance, ensuring that misconfigurations or outdated validation logic do not open the door to persistent threats.

Source: https://thehackernews.com/2025/09/two-new-supermicro-bmc-bugs-allow.html