CVE-2023-35861

high-risk

Published 2023-07-31

A shell-injection vulnerability in email notifications on Supermicro motherboards (such as H12DST-B before 03.10.35) allows remote attackers to inject execute arbitrary commands as root on the BMC.

Do I need to act?

0.97% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

X12Spo-F Firmware

H12Dst-B Firmware

X13Dai-T Firmware

X13Ddw-A Firmware

X13Deg-Oa Firmware

X13Deg-Oad Firmware

X13Deg-Pvc Firmware

X13Deg-Qt Firmware

X13Dei Firmware

X13Dei-T Firmware

X13Dem Firmware

X13Det-B Firmware

X13Dgu Firmware

X13Dsf-A Firmware

X13Qeh\+ Firmware

X13Sae Firmware

X13Sae-F Firmware

X13San-C Firmware

X13San-C-Wohs Firmware

X13San-E Firmware

Affected Vendors

Supermicro

References (6)

Exploit https://blog.freax13.de/cve/cve-2023-35861

Product https://www.supermicro.com/en/products/motherboards

Vendor Advisory https://www.supermicro.com/en/support/security_SMTP_Jun_2023

Exploit https://blog.freax13.de/cve/cve-2023-35861

Product https://www.supermicro.com/en/products/motherboards

Vendor Advisory https://www.supermicro.com/en/support/security_SMTP_Jun_2023

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 3/34 · Minimal

Exposure 33/34 · Critical