CVE-2024-36435
Published: 11 July 2024
Summary
CVE-2024-36435 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Supermicro BMC (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-36435 is a stack-based buffer overflow vulnerability, tracked under CWE-121, that affects Supermicro BMC firmware on select X11, X12, H12, B12, X13, H13, and B13 motherboards as well as CMM6 modules. The flaw resides in an interface that processes unauthenticated POST requests containing crafted data, enabling the overflow condition.
An unauthenticated remote attacker with network access to the BMC can send specially formed input to trigger the overflow and obtain arbitrary code execution on the management controller. The issue carries a CVSS 3.1 base score of 9.8, reflecting the absence of required authentication or user interaction and the full impact on confidentiality, integrity, and availability.
Supermicro has published security advisories covering BMC IPMI firmware updates for the affected platforms, available at the vendor's July 2024 security notice page. The current EPSS score of 0.1287 has remained flat at its observed peak, indicating no material increase in observed exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36083
Vulnerability details
An issue was discovered on Supermicro BMC firmware in select X11, X12, H12, B12, X13, H13, and B13 motherboards (and CMM6 modules). An unauthenticated user can post crafted data to the interface that triggers a stack buffer overflow, and may…
more
lead to arbitrary remote code execution on a BMC.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.