Backdoor Forever: Even Reinstalling Your OS No Longer Guarantees Server Security
Researchers have found a way to create practically indestructible digital parasites.
Researchers have found a way to create practically indestructible digital parasites.
Supermicro server boards contain critical vulnerabilities in their Baseboard Management Controller (BMC)—company Binarly discovered a way to load malicious firmware that runs before the operating system and becomes almost irreversible. One of the issues is reportedly a result of an incomplete fix released earlier, while the second one is even deeper and provides attackers with similar, but more thorough, persistence within the infrastructure, including data centers for artificial intelligence systems.
The Baseboard Management Controllers (BMC) on Supermicro boards are responsible for remote administration, temperature monitoring, fan control, and flashing the UEFI, which handles OS booting. Vulnerabilities CVE-2025-7937 and CVE-2025-6198 allow replacing digitally signed firmware images with malicious ones, bypassing verification mechanisms because attackers gain the ability to modify the tables and memory regions where signatures and bootloaders are stored.
The exploitation technique resembles the ILObleed rootkit incident: the malicious firmware persists on the board even after reinstalling the OS and replacing storage drives, rendering standard disinfection procedures useless. According to Binarly, exploitation is possible in two scenarios—either through direct takeover of the BMC administrative interface via other vulnerabilities, or through supply chain compromise, where servers receive supposedly official updates with tampered images.
In the first case, an attacker simply needs to perform an update with a malicious image; in the second—the end administrator remotely receives a "trusted" update that the BMC does not block.
The technical root of the problem lies in the logic for verifying the loaded image and the organization of the fwmap, which contains the addresses of signed regions. After a January patch, Supermicro added checks, closing an exploit in one memory offset, but Binarly found a bypass through another offset and demonstrated that the area for the original bootloader could be replaced with arbitrary code. This makes a potential attack not only persistent but also granting full control even before the operating system starts.
Supermicro has notified customers about the release of BMC updates and is conducting product testing, recommending that clients review release notes to confirm the issues are resolved. However, Binarly representatives noted the absence of available fixes on the manufacturer's website and stated that resolving the error appears non-trivial and will take time.
The exploitation of such vulnerabilities threatens both corporate clusters and large computational arrays (like AI farms). Therefore, server owners are advised to check their BMC firmware status and enhance control over their update supply chains.
