ZeroPath at Black Hat USA 2026

Supermicro BMC SMTP Command Injection (CVE-2026-3820): Overview of a Recurring Firmware Weakness

A brief summary of CVE-2026-3820, a High severity OS command injection in Supermicro BMC SMTP configuration that enables root level code execution on the management controller. Includes patch details across 23 affected motherboard models.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-04

Supermicro BMC SMTP Command Injection (CVE-2026-3820): Overview of a Recurring Firmware Weakness
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An OS command injection vulnerability in Supermicro's BMC SMTP service configuration allows an authenticated administrator to execute arbitrary commands with root privileges on the management controller, potentially achieving persistent compromise that survives operating system reinstalls and hardware changes. With Supermicro holding nearly 15% of the global server market and prior research identifying over 70,000 publicly exposed Supermicro IPMI interfaces on Shodan, the blast radius of this class of vulnerability extends well beyond a single server model.

The Supermicro AS-2115HS-TNR is a 2U Hyper Server platform based on 4th Generation AMD EPYC processors, designed for data center, cloud infrastructure, and AI/ML workloads. The Baseboard Management Controller (BMC) on these servers provides out of band management capabilities including power control, firmware updates, virtual media, and console access, all independent of the host operating system. This independence is precisely what makes BMC compromise so consequential: a rooted BMC cannot be remediated through conventional OS level incident response.

Technical Information

Root Cause: Unsanitized Input in SMTP Configuration

CVE-2026-3820 is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The vulnerability exists in the SMTP service configuration handler within the BMC firmware. When an administrator configures SMTP alert settings through the BMC web interface, the email configuration parameters are not properly sanitized for shell metacharacters before being incorporated into system commands.

Prior research by Binarly on the same class of vulnerability in Supermicro BMC firmware provides detailed insight into the likely mechanism. Binarly identified that the cgilib_config_alert function inside the libipmi.so binary constructs a shell command for the msmtp binary using the mail parameter from the SMTP configuration. This command is then executed via the glibc popen() function. Because popen() invokes /bin/sh to parse the command line, any shell metacharacters embedded in the email address field (such as ;, |, or backticks) are interpreted by the shell, allowing command injection.

For example, Binarly demonstrated that appending shell metacharacters like ;echo BRLY >/tmp/poc;cat to the email address field would result in those commands being executed with root privileges on the BMC's embedded Linux operating system.

This falls squarely into the first subtype of CWE-78: the application uses external inputs as arguments to a fixed program (in this case, msmtp), but command separators in the input allow attackers to insert additional commands.

Two Stage Exploitation Chain

The NVD description states that an attacker must first "obtain administrator privileges" before injecting into the SMTP configuration. This creates a two stage attack:

Stage 1: Obtain BMC Administrator Access. This can be achieved through several vectors:

  • Default or weak credentials on the BMC interface, which are common in environments where BMC passwords are not changed from factory defaults
  • Credential theft via cross site scripting (XSS) vulnerabilities previously identified in Supermicro BMC firmware (CVE-2023-40284, CVE-2023-40287, CVE-2023-40288, CVE-2023-40290, CVE-2023-40285, CVE-2023-40286), which could be used to steal session cookies and hijack authenticated BMC sessions
  • Credential reuse from other compromised systems

Stage 2: Inject Commands via SMTP Configuration. Once authenticated as an administrator, the attacker navigates to the SMTP alert configuration page within the BMC web interface and injects shell metacharacters into the email configuration fields. When the configuration is saved and the SMTP process is subsequently invoked, the injected commands execute with root privileges on the BMC.

Impact: Persistent Controller Compromise

The NVD description explicitly warns of three impact categories: denial of service attacks, arbitrary code execution, and permanent compromise of the controller. The "permanent compromise" aspect is particularly significant. Research by Eclypsium has demonstrated that BMC vulnerabilities can allow attackers to "persist undetected inside a server or even permanently disable the victim server" because the BMC firmware survives OS reinstalls and even hard drive replacements. A compromised BMC provides an attacker with complete control over server hardware, including power management, firmware updates, virtual media mounting, and serial console access.

AttributeDetail
CVE IDCVE-2026-3820
CVSS Score7.2 (High)
CWE ClassificationCWE-78 (OS Command Injection)
Affected ProductSupermicro AS-2115HS-TNR (and 23 motherboard models)
Vulnerable ComponentBMC SMTP service configuration
PrerequisitesAdministrator privileges on BMC
ImpactDoS, arbitrary code execution, permanent BMC compromise
Disclosed ByCoreweave Red Team, Hoang Bui (Coreweave)

Patch Information

Supermicro has addressed CVE-2026-3820 through updated BMC firmware releases detailed in their official advisory published in June 2026. Since this vulnerability resides in proprietary BMC firmware rather than an open source codebase, the fix is delivered as binary firmware images. There are no public code diffs or commit histories to inspect.

The core of the fix targets the SMTP service configuration handler within the BMC firmware. The updated firmware sanitizes and validates SMTP configuration inputs to prevent command injection through the configuration pathway.

Supermicro's advisory provides a detailed table mapping each affected motherboard SKU to its specific fixed BMC firmware version. The fix spans multiple board families:

Board FamilyExample ModelsFixed BMC Firmware Version
X14 seriesMBD-X14SBGM, MBD-X14DBG-MAP, MBD-X14DBG-GD, MBD-X14SBT-G, MBD-X14SBT-GAP01.06.00.11
X14DBM and H14 seriesMBD-X14DBM-AP, MBD-H14DST-F, MBD-H14DST-FL, MBD-X14DBG-LC, MBD-X14DBG-LC+, MBD-H14DSG-OD, MBD-H14DSG-OM01.07.00.11
B4/BH4 seriesMBD-BH4SRG, MBD-B4SA1-CPU, MBD-B4SC1-CPU01.08.11
B3 seriesMBD-B3SD1-20C-25G01.11.11
B14 seriesMBD-B14DBE, MBD-B14SBE-CPU-25G, MBD-B14SBE-CPU-AP, MBD-B14DBT01.06.00.11

In total, 23 specific motherboard models are listed with their patched firmware versions. Administrators must apply the corresponding BMC firmware update for their specific motherboard SKU. Supermicro notes that testing and validation of affected products is ongoing, and customers should consult the release notes accompanying each firmware update for full details.

The vulnerability was responsibly disclosed by the Coreweave Red Team and researcher Hoang Bui from Coreweave.

Affected Systems and Versions

The NVD entry specifically names the Supermicro AS-2115HS-TNR as the affected product. However, Supermicro's June 2026 advisory lists 23 motherboard models across five board families that require patched firmware, indicating the vulnerability affects a broader range of products sharing the same BMC firmware codebase.

The affected board families and models include:

  • X14 series: MBD-X14SBGM, MBD-X14DBG-MAP, MBD-X14DBG-GD, MBD-X14SBT-G, MBD-X14SBT-GAP, and others
  • X14DBM and H14 series: MBD-X14DBM-AP, MBD-H14DST-F, MBD-H14DST-FL, MBD-X14DBG-LC, MBD-X14DBG-LC+, MBD-H14DSG-OD, MBD-H14DSG-OM
  • B4/BH4 series: MBD-BH4SRG, MBD-B4SA1-CPU, MBD-B4SC1-CPU
  • B3 series: MBD-B3SD1-20C-25G
  • B14 series: MBD-B14DBE, MBD-B14SBE-CPU-25G, MBD-B14SBE-CPU-AP, MBD-B14DBT

Specific vulnerable firmware version ranges are not enumerated in the available sources. Any BMC firmware version prior to the fixed versions listed in the patch table above should be considered vulnerable. The full list of affected Supermicro product models beyond those explicitly named may be broader, as Supermicro notes that testing and validation is ongoing.

Vendor Security History

Supermicro's BMC firmware has been the subject of repeated security disclosures, establishing a pattern that provides important context for CVE-2026-3820. The Supermicro Security Center lists the following BMC specific advisories:

Advisory PeriodCVEsVulnerability Type
October 2023CVE-2023-40289, CVE-2023-40284 through CVE-2023-40290Command injection, XSS in BMC web interface
January 2025CVE-2024-10237, CVE-2024-10238, CVE-2024-10239BMC IPMI firmware vulnerabilities
September 2025CVE-2025-7937, CVE-2025-6198BMC firmware validation logic
November 2025CVE-2025-7623, CVE-2025-8076, CVE-2025-8404, CVE-2025-8727BMC firmware vulnerabilities
January 2026CVE-2025-12006, CVE-2025-12007Insufficient digital signature verification
June 2026CVE-2026-3820SMTP service command injection

This represents six distinct vulnerability disclosure events in under three years. The October 2023 disclosure is particularly relevant: Binarly documented command injection in the same SMTP alert configuration component at that time, meaning CVE-2026-3820 represents a recurrence of the same vulnerability class in the same functional area. Binarly's research noted that the security practices in these BMC controllers "still reflect an early 2000s approach and do not meet modern security standards."

The supply chain dimension adds further complexity. Binarly identified that the Supermicro IPMI firmware component was developed by ATEN, meaning the root cause of these vulnerabilities may lie upstream in the firmware supply chain. This dynamic complicates root cause remediation because Supermicro must drive fundamental code level changes through its supply chain partner.

Additionally, Binarly's "Broken Trust" research documented that CVE-2025-6198, a Supermicro BMC firmware validation logic vulnerability, could be exploited more broadly than initially described, achieving full system compromise rather than just unauthorized firmware updates. This precedent suggests that the true exploitation potential of CVE-2026-3820 may exceed its current description.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization