CVE-2026-3820: Supermicro BMC SMTP Command Injection on AS-2115HS-TNR
Supermicro's BMC (Baseboard Management Controller) SMTP service in the AS-2115HS-TNR contains a vulnerability that allows attackers with administrator-level access to inject malicious characters into SMTP configuration fields. This injection can lead the system to execute unintended commands, potentially resulting in loss of service, unauthorized code execution, or complete compromise of the BMC itself. While the attack requires existing high-level privileges, the consequences—especially arbitrary code execution on out-of-band management hardware—are severe.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
There is a vulnerability in the Supermicro BMC SMTP service at Supermicro AS-2115HS-TNR. An attacker may obtain administrator privileges and inject specially crafted characters into the SMTP service configuration. This may cause the underlying system to execute unintended commands during process invocation. Potential impact includes denial-of-service attacks, arbitrary code execution, or permanent compromise of the controller.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-3820 is an OS command injection vulnerability (CWE-78) in the SMTP service module of Supermicro AS-2115HS-TNR BMC firmware. The vulnerability stems from insufficient input sanitization in SMTP configuration handling. Attackers with administrator credentials can craft specially formatted strings that escape normal parameter boundaries and are interpreted as shell commands during service invocation. The network-accessible nature of SMTP and the BMC's privileged position in the system architecture amplify the risk. CVSS 3.1 score of 7.2 (HIGH) reflects high confidentiality, integrity, and availability impact, though attack complexity is low and privileges required remain elevated.
Business impact
Compromise of the BMC has outsized business consequences relative to typical application vulnerabilities. A BMC controls hardware power states, firmware updates, and out-of-band remote access—functions that bypass operating system protections. An attacker leveraging this vulnerability could force system shutdowns (DoS), install persistent firmware rootkits, or establish a persistent backdoor independent of OS-level defenses. For organizations managing large Supermicro deployments, this creates a path to infrastructure-wide compromise that is difficult to detect and remediate through standard patching workflows.
Affected systems
This vulnerability is specific to the Supermicro AS-2115HS-TNR model. The vulnerability resides in the BMC firmware's SMTP service implementation. Organizations operating this model should treat it as a priority target for asset discovery and inventory. Check your Supermicro hardware manifest for this specific model number, particularly in data center, edge computing, or remote-access-critical environments.
Exploitability
Exploitation requires attacker possession of valid administrator credentials for the BMC. This is a meaningful constraint: typical external attackers do not have BMC admin access by default. However, the vulnerability becomes highly exploitable in scenarios involving insider threats, credential compromise (especially if BMC passwords are shared across systems or insufficiently rotated), or if attackers first compromise the host OS and then pivot to the BMC. Once credentials are available, exploitation is trivial due to low attack complexity and network accessibility. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities catalog, but this should not reduce urgency given BMC criticality.
Remediation
Contact Supermicro for firmware patches addressing CVE-2026-3820 for the AS-2115HS-TNR. Patches should be validated in a lab environment before production deployment, given the sensitivity of BMC updates. Concurrent with patching: (1) enforce strong, unique BMC administrator credentials; (2) restrict BMC SMTP service to internal networks only via firewall rules; (3) disable SMTP if not operationally required; (4) audit BMC user accounts and access logs for unauthorized activity. Organizations should also consider implementing BMC-level network segmentation to limit lateral movement from compromised BMCs.
Patch guidance
Verify current BMC firmware version against Supermicro's advisory for AS-2115HS-TNR. Obtain patches only from official Supermicro channels. Test patches in a non-production environment that mirrors your production BMC configuration. Schedule BMC updates during maintenance windows; coordinate with infrastructure teams to ensure no active remote management sessions are in progress. Post-update, verify SMTP service functionality and confirm BMC accessibility from expected admin consoles. Document the pre- and post-patch firmware versions for audit and compliance records.
Detection guidance
Monitor BMC audit logs for: (1) failed and successful SMTP service configuration changes, especially those originating from unexpected IP addresses or times; (2) unusual SMTP parameters containing shell metacharacters (pipe, backtick, semicolon, dollar-sign, etc.); (3) process execution events on the BMC linked to SMTP service invocation; (4) unexpected privilege escalation or code execution on the BMC. If available, enable BMC syslog forwarding to a centralized logging platform. Check for indicators of compromise such as new BMC user accounts, disabled audit logging, or firmware modifications. Baseline normal SMTP configuration and alert on deviation.
Why prioritize this
Although the vulnerability requires administrator-level privileges, BMCs occupy a uniquely critical position in infrastructure. A single compromised BMC can bypass all OS-level security controls, serve as a persistent backdoor, and facilitate hardware-level attacks. The command injection vector is also straightforward to exploit once credentials are obtained. Organizations with Supermicro AS-2115HS-TNR deployments should treat this as a high-priority remediation target, particularly if BMC admin credentials have been exposed, shared, or used across multiple systems. This vulnerability should be escalated above typical application-layer patching prioritization.
Risk score, explained
CVSS 3.1 score of 7.2 reflects: (1) network-based attack vector, enabling remote exploitation; (2) low attack complexity, indicating straightforward exploitation mechanics; (3) high-privilege prerequisite, reducing opportunistic attack likelihood but not insider or post-compromise risk; (4) complete compromise of confidentiality, integrity, and availability (all HIGH) once credentials are possessed. The score appropriately captures that while initial access barriers are moderate, the ultimate impact is severe. Real-world risk will be higher for organizations with poor BMC credential hygiene or those managing large Supermicro fleets.
Frequently asked questions
Do I need administrator credentials to exploit this vulnerability?
Yes. The vulnerability requires valid BMC administrator credentials. However, this is not a sufficient reason to deprioritize remediation. Insider threats, credential breaches, or lateral movement from a compromised host OS can provide an attacker with admin access. Organizations should audit how BMC credentials are stored, rotated, and protected.
Is this vulnerability currently being exploited in the wild?
CVE-2026-3820 is not listed in CISA's Known Exploited Vulnerabilities catalog as of the vulnerability's publication. However, BMC-targeting vulnerabilities are attractive to sophisticated threat actors due to their persistence and evasion potential. Assume that once patches are available, reverse engineering and exploitation development will follow rapidly.
What should I do if I don't have the AS-2115HS-TNR model?
This vulnerability is specific to that model. Check your Supermicro hardware inventory to confirm you are not affected. If you operate different Supermicro BMC models, monitor vendor advisories independently, as other models may have separate BMC vulnerabilities.
Can I mitigate this vulnerability without patching?
Partial mitigation is possible: disable SMTP on the BMC if your operations don't require it; restrict BMC network access to trusted internal subnets via firewall; enforce strong, unique admin credentials; and increase BMC audit logging and monitoring. However, these are interim measures. Patching is the definitive remediation.
This analysis is provided for informational purposes to support vulnerability management and security decision-making. SEC.co makes no warranty regarding the completeness or accuracy of vendor patch information; always verify against official Supermicro security advisories. Exploitation details and proof-of-concept information are not included in this document. Organizations should validate all patches and mitigations in controlled environments before production deployment. This document does not constitute legal, compliance, or regulatory advice. Consult your organization's legal and risk teams regarding disclosure, remediation timelines, and regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-41265HIGHWaterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI
- CVE-2025-41281HIGHWaterfall WF-500 OS Command Injection
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability