Cyber Resilience

CVE-2025-12006

High

Published: 16 January 2026

Published
16 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 3.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12006 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Supermicro BMC (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Firmware (T1542.001); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2025-12006, published on 2026-01-16, is a vulnerability in the Supermicro BMC firmware validation logic on the Supermicro MBD-X12STW-F motherboard. It enables an attacker to update the system firmware using a specially crafted image. The issue carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-347.

The vulnerability can be exploited by an attacker with high privileges over the network, requiring low complexity and no user interaction. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability on the affected system, such as arbitrary firmware modification leading to persistent control.

Supermicro has published a security advisory with mitigation guidance at https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2026.

EU & UK References

Vulnerability details

There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW-F . An attacker can update the system firmware with a specially crafted image.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1542.001 System Firmware Stealth
Adversaries may modify system firmware to persist on systems.
Why these techniques?

CVE directly bypasses firmware signature validation (CWE-347) to permit arbitrary system firmware images, enabling T1542.001 System Firmware for persistence.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-56161Shared CWE-347
CVE-2025-12007Shared CWE-347
CVE-2026-34240Shared CWE-347
CVE-2025-24043Shared CWE-347
CVE-2026-23687Shared CWE-347
CVE-2024-13172Shared CWE-347
CVE-2026-41669Shared CWE-347
CVE-2026-27962Shared CWE-347
CVE-2026-32974Shared CWE-347
CVE-2026-44714Shared CWE-347

Affected Assets

Supermicro
BMC
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires cryptographic verification of firmware integrity before allowing updates, directly blocking the crafted-image attack path in the BMC validation logic.

prevent

Mandates that firmware components be digitally signed and verified, addressing the root failure in Supermicro's signature/validation logic for BMC updates.

prevent

Enforces access restrictions and authorization checks on configuration changes including firmware flashing, limiting exploitation to only explicitly permitted high-privilege accounts.

References