Supermicro Motherboards Harbor Unremovable Malware
▼ Summary
– Supermicro motherboards contain critical vulnerabilities allowing hackers to install undetectable firmware that runs before the operating system.
– One vulnerability resulted from an incomplete patch for a previous flaw (CVE-2024-10237) discovered by security firm Binarly.
– These flaws can be exploited to install persistent malware, similar to the ILObleed implant that survived OS reinstallation and destroyed data.
– The vulnerabilities (CVE-2025-7937 and CVE-2025-6198) affect baseboard management controllers (BMCs) on servers, including those in AI data centers.
– BMCs allow remote administration even when servers are off and can perform sensitive tasks like reflashing the boot firmware.
Servers built on Supermicro motherboards are facing a critical security crisis, with newly identified vulnerabilities enabling attackers to embed malware so deep within the system that conventional removal methods are completely ineffective. This threat stems from flaws that permit the remote installation of malicious firmware, which activates before the operating system even loads.
According to security researchers at Binarly, one of the two vulnerabilities results from an incomplete patch that Supermicro issued earlier this year. This inadequate fix was intended to resolve a previously identified high-severity flaw but instead left the door open for continued exploitation. The security firm uncovered a second, separate critical vulnerability that facilitates the same type of potent attack.
These security holes can be leveraged to install firmware implants with what experts describe as “unprecedented persistence.” This level of endurance is comparable to historical threats like ILObleed, a malicious implant discovered several years ago that infected enterprise servers with data-destroying firmware. In that case, standard remediation steps, such as reinstalling the operating system or replacing hard drives, proved useless because the malware resided in a deeper layer of the hardware.
The newly discovered vulnerabilities, which have been assigned specific tracking numbers, exist within specialized chips permanently attached to the motherboards. These components, known as baseboard management controllers (BMCs), are responsible for a range of remote administration functions. BMCs grant administrators the ability to perform sensitive operations like updating firmware and monitoring system health, even when the main server is powered down. This very capability, however, is what makes them such a valuable target for attackers seeking a permanent foothold. The implications are particularly severe for large-scale deployments, including the powerful servers driving artificial intelligence data centers, where a compromise could have widespread consequences.
(Source: Ars Technica)