Cyber Posture

CVE-2025-12007

High

Published: 16 January 2026

Published
16 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12007 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Supermicro BMC (inferred from references). Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Firmware (T1542.001); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to System Firmware (T1542.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-7 Software, Firmware, and Information Integrity good match
preventdetect

Requires integrity verification mechanisms for firmware, directly countering the flawed BMC firmware validation logic that permits specially crafted images.

CM-14 Signed Components good match
prevent

Mandates digital signing and signature validation of software components including firmware images prior to update, preventing acceptance of crafted malicious firmware.

SI-2 Flaw Remediation good match
preventrecover

Ensures timely remediation of the specific BMC firmware vulnerability via vendor-provided patches from the Supermicro security advisory.

MITRE ATT&CK Enterprise TechniquesAI

T1542.001 System Firmware Stealth
Adversaries may modify system firmware to persist on systems.
attack.mitre.org →
Why these techniques?

Bypasses firmware signature validation (CWE-347) to install crafted BMC/system firmware image, directly enabling T1542.001 System Firmware.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . An attacker can update the system firmware with a specially crafted image.

Deeper analysisAI

CVE-2025-12007 is a vulnerability in the Supermicro BMC firmware validation logic affecting the Supermicro MBD-X13SEM-F motherboard. It enables an attacker to update the system firmware using a specially crafted image. The issue, associated with CWE-347, received a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-16.

A local attacker with no privileges can exploit this vulnerability with low complexity and no user interaction required. Exploitation allows updating the firmware, resulting in high impacts to confidentiality, integrity, and availability of the affected system.

Supermicro has published a security advisory at https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2026 addressing this vulnerability.

Details

CWE(s)
CWE-347

Affected Products

Supermicro
BMC
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2024-56161Shared CWE-347
CVE-2025-12006Shared CWE-347
CVE-2025-27773Shared CWE-347
CVE-2026-5466Shared CWE-347
CVE-2026-40372Shared CWE-347
CVE-2026-38651Shared CWE-347
CVE-2026-34377Shared CWE-347
CVE-2026-20997Shared CWE-347
CVE-2025-23206Shared CWE-347
CVE-2025-52648Shared CWE-347

References