Description
There is a vulnerability in the Supermicro BMC SMTP service at Supermicro AS-2115HS-TNR. 
An attacker may obtain administrator privileges and inject specially crafted characters into the SMTP service configuration. This may cause the underlying system to execute unintended commands during process invocation.

Potential impact includes denial-of-service attacks, arbitrary code execution, or permanent compromise of the controller.
Published: 2026-06-04
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw in the SMTP service of the Supermicro BMC, specifically the AS‑2115HS‑TNR model. An attacker can supply specially crafted characters that are incorporated into the service configuration and subsequently executed by the underlying system. This flaw may enable denial‑of‑service, arbitrary command execution, or permanent compromise of the controller, representing a severe software flaw (CWE‑78).

Affected Systems

The affected system is the Supermicro Baseboard Management Controller (BMC) in the AS‑2115HS‑TNR model. No additional version details are supplied; the vulnerability is tied to the SMTP service component of that BMC firmware.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, but no EPSS value is available, making the exact likelihood of exploitation uncertain. The flaw is not listed in the CISA KEV catalog, suggesting no known public exploits at the time of this analysis. The likely attack vector involves an external network attacker sending malicious SMTP protocol traffic to the BMC to trigger the command injection.

Generated by OpenCVE AI on June 4, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or firmware update for the BMC SMTP service as detailed in the Supermicro security advisory at https://www.supermicro.com/en/support/security_BMC_IPMI_Jun_2026
  • If a patch is not immediately available, disable the SMTP service on the BMC or block inbound SMTP traffic to the BMC from untrusted networks using firewall rules
  • Configure the BMC to enforce strict authentication before accepting any SMTP configuration commands and monitor SMTP logs for anomalous activity

Generated by OpenCVE AI on June 4, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description There is a vulnerability in the Supermicro BMC SMTP service at Supermicro AS-2115HS-TNR.  An attacker may obtain administrator privileges and inject specially crafted characters into the SMTP service configuration. This may cause the underlying system to execute unintended commands during process invocation. Potential impact includes denial-of-service attacks, arbitrary code execution, or permanent compromise of the controller.
Title Supermicro BMC's SMTP service contains a command injection vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Supermicro

Published:

Updated: 2026-06-04T08:07:57.608Z

Reserved: 2026-03-09T02:52:12.355Z

Link: CVE-2026-3820

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T09:16:28.980

Modified: 2026-06-04T09:16:28.980

Link: CVE-2026-3820

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T09:30:10Z

Weaknesses