Cyber Resilience

CVE-2024-36435

Critical

Published: 11 July 2024

Published
11 July 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1287 94.2th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36435 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Supermicro BMC (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-36435 is a stack-based buffer overflow vulnerability, tracked under CWE-121, that affects Supermicro BMC firmware on select X11, X12, H12, B12, X13, H13, and B13 motherboards as well as CMM6 modules. The flaw resides in an interface that processes unauthenticated POST requests containing crafted data, enabling the overflow condition.

An unauthenticated remote attacker with network access to the BMC can send specially formed input to trigger the overflow and obtain arbitrary code execution on the management controller. The issue carries a CVSS 3.1 base score of 9.8, reflecting the absence of required authentication or user interaction and the full impact on confidentiality, integrity, and availability.

Supermicro has published security advisories covering BMC IPMI firmware updates for the affected platforms, available at the vendor's July 2024 security notice page. The current EPSS score of 0.1287 has remained flat at its observed peak, indicating no material increase in observed exploitation interest since disclosure.

EU & UK References

Vulnerability details

An issue was discovered on Supermicro BMC firmware in select X11, X12, H12, B12, X13, H13, and B13 motherboards (and CMM6 modules). An unauthenticated user can post crafted data to the interface that triggers a stack buffer overflow, and may…

more

lead to arbitrary remote code execution on a BMC.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Supermicro
BMC
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References