Supermicro server motherboards can be infected with unremovable malware

Servers running on motherboards sold by Supermicro contain high-severity vulnerabilities that can allow hackers to remotely install malicious firmware that runs even before the operating system, making infections impossible to detect or remove without unusual protections in place.

One of the two vulnerabilities is the result of an incomplete patch Supermicro released in January, said Alex Matrosov, founder and CEO of Binarly, the security firm that discovered it. He said that the insufficient fix was meant to patch CVE-2024-10237, a high-severity vulnerability that enabled attackers to reflash firmware that runs while a machine is booting. Binarly discovered a second critical vulnerability that allows the same sort of attack.

“Unprecedented persistence”

Such vulnerabilities can be exploited to install firmware similar to ILObleed, an implant discovered in 2021 that infected HP Enterprise servers with wiper firmware that permanently destroyed data stored on hard drives. Even after administrators reinstalled the operating system, swapped out hard drives, or took other common disinfection steps, ILObleed would remain intact and reactivate the disk-wiping attack. The exploit the attackers used in that campaign had been patched by HP four years earlier but wasn’t installed in the compromised devices.

“Both issues provide unprecedented persistence power across significant Supermicro device fleets including [in] AI data centers,” Matrosov wrote to Ars in an online interview, referring to the two latest vulnerabilities Binarly discovered. “After they patched [the earlier vulnerability], we looked at the rest of the attack surface and found even worse security problems.”

The two new vulnerabilities—tracked as CVE-2025-7937 and CVE-2025-6198—reside inside silicon soldered onto Supermicro motherboards that run servers inside data centers. Baseboard management controllers (BMCs) allow administrators to remotely perform tasks such as installing updates, monitoring hardware temperatures, and setting fan speeds accordingly. BMCs also enable some of the most sensitive operations, such as reflashing the firmware for the UEFI (Unified Extensible Firmware Interface) that’s responsible for loading the server OS when booting. BMCs provide these capabilities and more, even when the servers they’re connected to are turned off.