New Supermicro BMC Vulnerabilities Could Expose Many Servers to Remote Attacks

Supermicro, a server and computer hardware company, has released updates to fix multiple vulnerabilities in its Baseboard Management Controllers (BMC) IPMI firmware. The flaws could allow remote attackers to gain root access to the BMC system. The most severe of these vulnerabilities, tracked as CVE-2023-40284, CVE-2023-40287, and CVE-2023-40288, are three cross-site scripting (XSS) flaws in the BMC server frontend that could be exploited remotely without authentication. Supermicro rates these issues with a CVSS score of 8.3, while the security firm Binarly considers them critical with a CVSS score of 9.6. Binarly also identified other critical vulnerabilities, including a command injection bug in the BMC server backend. Supermicro states that it is not aware of any malicious exploitation of these vulnerabilities.