Introduction
An OS command injection vulnerability in Supermicro's BMC SMTP service configuration allows an authenticated administrator to execute arbitrary commands with root privileges on the management controller, potentially achieving persistent compromise that survives operating system reinstalls and hardware changes. With Supermicro holding nearly 15% of the global server market and prior research identifying over 70,000 publicly exposed Supermicro IPMI interfaces on Shodan, the blast radius of this class of vulnerability extends well beyond a single server model.
The Supermicro AS-2115HS-TNR is a 2U Hyper Server platform based on 4th Generation AMD EPYC processors, designed for data center, cloud infrastructure, and AI/ML workloads. The Baseboard Management Controller (BMC) on these servers provides out of band management capabilities including power control, firmware updates, virtual media, and console access, all independent of the host operating system. This independence is precisely what makes BMC compromise so consequential: a rooted BMC cannot be remediated through conventional OS level incident response.
Technical Information
Root Cause: Unsanitized Input in SMTP Configuration
CVE-2026-3820 is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The vulnerability exists in the SMTP service configuration handler within the BMC firmware. When an administrator configures SMTP alert settings through the BMC web interface, the email configuration parameters are not properly sanitized for shell metacharacters before being incorporated into system commands.
Prior research by Binarly on the same class of vulnerability in Supermicro BMC firmware provides detailed insight into the likely mechanism. Binarly identified that the cgilib_config_alert function inside the libipmi.so binary constructs a shell command for the msmtp binary using the mail parameter from the SMTP configuration. This command is then executed via the glibc popen() function. Because popen() invokes /bin/sh to parse the command line, any shell metacharacters embedded in the email address field (such as ;, |, or backticks) are interpreted by the shell, allowing command injection.
For example, Binarly demonstrated that appending shell metacharacters like ;echo BRLY >/tmp/poc;cat to the email address field would result in those commands being executed with root privileges on the BMC's embedded Linux operating system.
This falls squarely into the first subtype of CWE-78: the application uses external inputs as arguments to a fixed program (in this case, msmtp), but command separators in the input allow attackers to insert additional commands.
Two Stage Exploitation Chain
The NVD description states that an attacker must first "obtain administrator privileges" before injecting into the SMTP configuration. This creates a two stage attack:
Stage 1: Obtain BMC Administrator Access. This can be achieved through several vectors:
- Default or weak credentials on the BMC interface, which are common in environments where BMC passwords are not changed from factory defaults
- Credential theft via cross site scripting (XSS) vulnerabilities previously identified in Supermicro BMC firmware (CVE-2023-40284, CVE-2023-40287, CVE-2023-40288, CVE-2023-40290, CVE-2023-40285, CVE-2023-40286), which could be used to steal session cookies and hijack authenticated BMC sessions
- Credential reuse from other compromised systems
Stage 2: Inject Commands via SMTP Configuration. Once authenticated as an administrator, the attacker navigates to the SMTP alert configuration page within the BMC web interface and injects shell metacharacters into the email configuration fields. When the configuration is saved and the SMTP process is subsequently invoked, the injected commands execute with root privileges on the BMC.
Impact: Persistent Controller Compromise
The NVD description explicitly warns of three impact categories: denial of service attacks, arbitrary code execution, and permanent compromise of the controller. The "permanent compromise" aspect is particularly significant. Research by Eclypsium has demonstrated that BMC vulnerabilities can allow attackers to "persist undetected inside a server or even permanently disable the victim server" because the BMC firmware survives OS reinstalls and even hard drive replacements. A compromised BMC provides an attacker with complete control over server hardware, including power management, firmware updates, virtual media mounting, and serial console access.
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2026-3820 |
| CVSS Score | 7.2 (High) |
| CWE Classification | CWE-78 (OS Command Injection) |
| Affected Product | Supermicro AS-2115HS-TNR (and 23 motherboard models) |
| Vulnerable Component | BMC SMTP service configuration |
| Prerequisites | Administrator privileges on BMC |
| Impact | DoS, arbitrary code execution, permanent BMC compromise |
| Disclosed By | Coreweave Red Team, Hoang Bui (Coreweave) |
Patch Information
Supermicro has addressed CVE-2026-3820 through updated BMC firmware releases detailed in their official advisory published in June 2026. Since this vulnerability resides in proprietary BMC firmware rather than an open source codebase, the fix is delivered as binary firmware images. There are no public code diffs or commit histories to inspect.
The core of the fix targets the SMTP service configuration handler within the BMC firmware. The updated firmware sanitizes and validates SMTP configuration inputs to prevent command injection through the configuration pathway.
Supermicro's advisory provides a detailed table mapping each affected motherboard SKU to its specific fixed BMC firmware version. The fix spans multiple board families:
| Board Family | Example Models | Fixed BMC Firmware Version |
|---|---|---|
| X14 series | MBD-X14SBGM, MBD-X14DBG-MAP, MBD-X14DBG-GD, MBD-X14SBT-G, MBD-X14SBT-GAP | 01.06.00.11 |
| X14DBM and H14 series | MBD-X14DBM-AP, MBD-H14DST-F, MBD-H14DST-FL, MBD-X14DBG-LC, MBD-X14DBG-LC+, MBD-H14DSG-OD, MBD-H14DSG-OM | 01.07.00.11 |
| B4/BH4 series | MBD-BH4SRG, MBD-B4SA1-CPU, MBD-B4SC1-CPU | 01.08.11 |
| B3 series | MBD-B3SD1-20C-25G | 01.11.11 |
| B14 series | MBD-B14DBE, MBD-B14SBE-CPU-25G, MBD-B14SBE-CPU-AP, MBD-B14DBT | 01.06.00.11 |
In total, 23 specific motherboard models are listed with their patched firmware versions. Administrators must apply the corresponding BMC firmware update for their specific motherboard SKU. Supermicro notes that testing and validation of affected products is ongoing, and customers should consult the release notes accompanying each firmware update for full details.
The vulnerability was responsibly disclosed by the Coreweave Red Team and researcher Hoang Bui from Coreweave.
Affected Systems and Versions
The NVD entry specifically names the Supermicro AS-2115HS-TNR as the affected product. However, Supermicro's June 2026 advisory lists 23 motherboard models across five board families that require patched firmware, indicating the vulnerability affects a broader range of products sharing the same BMC firmware codebase.
The affected board families and models include:
- X14 series: MBD-X14SBGM, MBD-X14DBG-MAP, MBD-X14DBG-GD, MBD-X14SBT-G, MBD-X14SBT-GAP, and others
- X14DBM and H14 series: MBD-X14DBM-AP, MBD-H14DST-F, MBD-H14DST-FL, MBD-X14DBG-LC, MBD-X14DBG-LC+, MBD-H14DSG-OD, MBD-H14DSG-OM
- B4/BH4 series: MBD-BH4SRG, MBD-B4SA1-CPU, MBD-B4SC1-CPU
- B3 series: MBD-B3SD1-20C-25G
- B14 series: MBD-B14DBE, MBD-B14SBE-CPU-25G, MBD-B14SBE-CPU-AP, MBD-B14DBT
Specific vulnerable firmware version ranges are not enumerated in the available sources. Any BMC firmware version prior to the fixed versions listed in the patch table above should be considered vulnerable. The full list of affected Supermicro product models beyond those explicitly named may be broader, as Supermicro notes that testing and validation is ongoing.
Vendor Security History
Supermicro's BMC firmware has been the subject of repeated security disclosures, establishing a pattern that provides important context for CVE-2026-3820. The Supermicro Security Center lists the following BMC specific advisories:
| Advisory Period | CVEs | Vulnerability Type |
|---|---|---|
| October 2023 | CVE-2023-40289, CVE-2023-40284 through CVE-2023-40290 | Command injection, XSS in BMC web interface |
| January 2025 | CVE-2024-10237, CVE-2024-10238, CVE-2024-10239 | BMC IPMI firmware vulnerabilities |
| September 2025 | CVE-2025-7937, CVE-2025-6198 | BMC firmware validation logic |
| November 2025 | CVE-2025-7623, CVE-2025-8076, CVE-2025-8404, CVE-2025-8727 | BMC firmware vulnerabilities |
| January 2026 | CVE-2025-12006, CVE-2025-12007 | Insufficient digital signature verification |
| June 2026 | CVE-2026-3820 | SMTP service command injection |
This represents six distinct vulnerability disclosure events in under three years. The October 2023 disclosure is particularly relevant: Binarly documented command injection in the same SMTP alert configuration component at that time, meaning CVE-2026-3820 represents a recurrence of the same vulnerability class in the same functional area. Binarly's research noted that the security practices in these BMC controllers "still reflect an early 2000s approach and do not meet modern security standards."
The supply chain dimension adds further complexity. Binarly identified that the Supermicro IPMI firmware component was developed by ATEN, meaning the root cause of these vulnerabilities may lie upstream in the firmware supply chain. This dynamic complicates root cause remediation because Supermicro must drive fundamental code level changes through its supply chain partner.
Additionally, Binarly's "Broken Trust" research documented that CVE-2025-6198, a Supermicro BMC firmware validation logic vulnerability, could be exploited more broadly than initially described, achieving full system compromise rather than just unauthorized firmware updates. This precedent suggests that the true exploitation potential of CVE-2026-3820 may exceed its current description.
References
- NVD: CVE-2026-3820
- Supermicro Security Advisory: BMC IPMI Firmware, June 2026
- Supermicro Security Center
- Binarly Research: Vulnerabilities in Supermicro BMCs
- Binarly: Broken Trust: Fixed Supermicro BMC Bug Gains New Life
- Eclypsium: Vulnerable Firmware in the Supply Chain of Enterprise Servers
- CWE-78: Improper Neutralization of Special Elements used in an OS Command
- OWASP: Command Injection
- Supermicro AS-2115HS-TNR Product Page
- Thomas Krenn: Supermicro BMC Safety Instructions January 2026
- Thomas Krenn: USBAnywhere Supermicro IPMI Virtual Media Vulnerability
- Proofpoint: 2026 Vulnerability Exploitation Trends
- SMCI Market Share, Q1 2026



