Throughout this analysis, Binarly found a second vulnerability, CVE-2025-6198, regarding Supermicro’s X13SEM-F motherboard firmware, additionally rated as excessive severity with a CVSS rating of seven.2.
Whereas CVE-2025-7937 or CVE-2025-6198 would pose main safety dangers within the occasion attackers have been in a position to exploit them, the caveat is that to take action the attackers would wish to have established admin entry to the methods to work together with the firmware.
That may make exploitation sound like a protracted shot — neither may be exploited remotely — however as numerous real-world assaults present, rogue admin entry and privilege elevation may be gained in a separate, oblique assault.
Incomplete repair
CVE-2025-7937 and CVE-2025-6198 uncovered completely different points with Supermicro’s validation logic, the checking course of that’s alleged to cease authentic firmware being changed with malicious code.
Binarly stated that the January flaw, CVE-2024-10237, made it doable to idiot the validation course of by including illicit entries to the firmware map desk (fwmap) in order that the rogue firmware matched the cryptographically signed worth.
Supermicro adjusted the validation checks to detect this, however via CVE-2025-7937, Binarly researchers have been in a position to re-target the modified validation checking.
