CVE-2025-12006
Published: 16 January 2026
Summary
CVE-2025-12006 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Supermicro BMC (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Firmware (T1542.001); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
CVE-2025-12006, published on 2026-01-16, is a vulnerability in the Supermicro BMC firmware validation logic on the Supermicro MBD-X12STW-F motherboard. It enables an attacker to update the system firmware using a specially crafted image. The issue carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-347.
The vulnerability can be exploited by an attacker with high privileges over the network, requiring low complexity and no user interaction. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability on the affected system, such as arbitrary firmware modification leading to persistent control.
Supermicro has published a security advisory with mitigation guidance at https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2026.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2961
Vulnerability details
There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW-F . An attacker can update the system firmware with a specially crafted image.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly bypasses firmware signature validation (CWE-347) to permit arbitrary system firmware images, enabling T1542.001 System Firmware for persistence.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires cryptographic verification of firmware integrity before allowing updates, directly blocking the crafted-image attack path in the BMC validation logic.
Mandates that firmware components be digitally signed and verified, addressing the root failure in Supermicro's signature/validation logic for BMC updates.
Enforces access restrictions and authorization checks on configuration changes including firmware flashing, limiting exploitation to only explicitly permitted high-privilege accounts.