A study conducted by cybersecurity company Binarly has found multiple vulnerabilities in Supermicro’s Baseboard Management Controller (BMC), a special chip on server motherboards that supports remote management. The most severe of these vulnerabilities are three cross-site scripting (XSS) flaws in the BMC server frontend that could be exploited remotely, without authentication, to execute arbitrary JavaScript code. Binarly considers these issues to be of critical severity and advises that they could be used by an attacker who knows the BMC web server’s IP address and the administrator’s email address to send a phishing email. Additionally, Binarly identified two XSS flaws in the Supermicro BMC IPMI firmware that could lead to the execution of malicious code. Another high-severity XSS flaw was also identified, which can only be exploited using Internet Explorer 11 on Windows. Supermicro is not aware of any malicious exploitation of these vulnerabilities.

