Supermicro server motherboards can be infected with unremovable malware

Recent findings have unveiled alarming vulnerabilities within Supermicro server motherboards that could enable hackers to implant malware at a fundamental level, beyond the reach of traditional security measures. These high-risk flaws permit malicious firmware to be executed even before the operating system initiates, complicating detection and removal efforts significantly. According to Alex Matrosov, the CEO of security firm Binarly, the first of these vulnerabilities stems from an inadequate patch released by Supermicro earlier this year in January. This patch was intended to address CVE-2024-10237, a critical vulnerability that allowed attackers to overwrite firmware during the boot-up process. However, a second, equally severe flaw has also been identified, amplifying the potential for exploitation. The implications of these vulnerabilities are severe, akin to the notorious ILObleed incident of 2021, which affected HP Enterprise servers. That attack involved the installation of destructive firmware that permanently erased stored data, persisting even after standard remediation efforts such as operating system reinstalls or hard drive replacements. Matrosov elaborated on the situation in an interview with Ars, expressing concern over the persistence these vulnerabilities provide across large fleets of Supermicro devices, particularly in AI data centers. Following the patch of the earlier vulnerability, Binarly explored the broader attack surface and discovered even more significant security issues. The two newly identified vulnerabilities, designated as CVE-2025-7937 and CVE-2025-6198, are embedded within silicon on Supermicro motherboards that support data center servers. Baseboard Management Controllers (BMCs), which facilitate remote administration tasks like firmware updates and hardware monitoring, are at the center of these vulnerabilities. Alarmingly, BMCs can execute these critical functions even when the server is powered down, creating a substantial risk for organizations relying on these systems.