Supermicro Server Motherboards Vulnerable to Unremovable Malware
A recent discovery by Binarly, a security firm, has revealed that Supermicro server motherboards can be infected with unremovable malware due to high-severity vulnerabilities in the baseboard management controller (BMC) firmware. The vulnerabilities, tracked as CVE-2025-7937 and CVE-2025-6198, allow hackers to remotely install malicious firmware that runs even before the operating system, making infections impossible to detect or remove without unusual protections in place.
The first vulnerability, CVE-2025-7937, stems from an incomplete fix for CVE-2024-10237, a high-severity vulnerability discovered by Nvidia last year. This earlier vulnerability enabled attackers to reflash firmware that runs while a machine is booting. However, the patch released by Supermicro in January did not fully address the issue, leaving room for exploitation.
Alex Matrosov, founder and CEO of Binarly, explained that the incomplete patch was meant to patch CVE-2024-10237 but failed to address the vulnerability completely. This oversight allowed hackers to exploit the same flaw, resulting in unremovable malware infections. Matrosov stated that "both issues provide unprecedented persistence power across significant Supermicro device fleets, including AI data centers."
The second vulnerability, CVE-2025-6198, allows hackers to replace safe firmware images with malicious ones without triggering mechanisms for detecting and blocking such attacks. BMCs ship with protections designed to check the digital signatures of installed firmware to ensure it’s authorized by the manufacturer and safe to run. However, the vulnerabilities discovered by Binarly bypass these safeguards, enabling attackers to compromise servers remotely.
To exploit these vulnerabilities, hackers would first need to take control of the BMC. According to Matrosov, this can be done through other vulnerabilities in the BMC control interface or by exploiting a supply chain attack. In such cases, malicious updates could be distributed as part of the firmware update process, allowing attackers to compromise servers without arousing suspicion.
The exploitation of these vulnerabilities is particularly concerning due to its persistence power. As seen in the case of ILObleed, an implant discovered in 2021 that infected HP Enterprise servers with wiper firmware, even after administrators took common disinfection steps, such as reinstalling the operating system or swapping out hard drives, the malware would remain intact and reactivate the disk-wiping attack.
Supermicro has acknowledged the vulnerabilities and is currently testing and validating affected products. The company advises customers to check release notes for the resolution but has not made the patched firmware updates available on their website. Matrosov expressed skepticism about the speed of the update process, stating that "the bug is hard to fix. I assume it will take more time from them."
The discovery of these vulnerabilities highlights the ongoing threat of unremovable malware and the importance of robust security measures in server management systems. As organizations continue to rely on complex IT infrastructure, the need for secure and reliable hardware solutions becomes increasingly crucial.
Impact and Implications
The implications of these vulnerabilities are far-reaching, with significant potential impacts on data centers, AI research institutions, and other organizations that utilize Supermicro server motherboards. The persistence power of these malware infections poses a substantial threat to data security, as compromised servers can remain undetected even after administrators take corrective actions.
Furthermore, the exploitation of these vulnerabilities raises concerns about supply chain attacks and the potential for malicious updates to be distributed through legitimate channels. This highlights the need for robust security measures in software update processes and the importance of verifying firmware authenticity before deployment.
Prevention and Mitigation
In light of these discoveries, organizations that utilize Supermicro server motherboards must take immediate action to mitigate the risks associated with these vulnerabilities. This includes:
- Implementing additional protections to detect and block malicious firmware updates
- Conducting thorough risk assessments and vulnerability scans to identify affected systems
- Prioritizing software updates and patches for affected products
- Developing incident response plans to address potential malware infections
By taking proactive measures to address these vulnerabilities, organizations can minimize the risks associated with unremovable malware and ensure the security of their data centers.
Conclusion
The discovery of CVE-2025-7937 and CVE-2025-6198 highlights the ongoing threat of unremovable malware and underscores the importance of robust security measures in server management systems. Organizations that utilize Supermicro server motherboards must take immediate action to mitigate the risks associated with these vulnerabilities and ensure the security of their data centers.
As the complexity of IT infrastructure continues to grow, the need for secure and reliable hardware solutions becomes increasingly crucial. By prioritizing security and taking proactive steps to address potential vulnerabilities, organizations can minimize the risks associated with unremovable malware and protect their critical assets from compromise.