Description
There is a vulnerability in the Supermicro BMC SMTP service at Supermicro AS-2115HS-TNR. 
An attacker may obtain administrator privileges and inject specially crafted characters into the SMTP service configuration. This may cause the underlying system to execute unintended commands during process invocation.

Potential impact includes denial-of-service attacks, arbitrary code execution, or permanent compromise of the controller.
Published: 2026-06-04
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw in the SMTP service of the Supermicro BMC, specifically the AS‑2115HS‑TNR model. An attacker can supply specially crafted characters that are incorporated into the service configuration and subsequently executed by the underlying system. This flaw may enable denial‑of‑service, arbitrary command execution, or permanent compromise of the controller, representing a severe software flaw (CWE‑78).

Affected Systems

The affected system is the Supermicro Baseboard Management Controller (BMC) in the AS‑2115HS‑TNR model. No additional version details are supplied; the vulnerability is tied to the SMTP service component of that BMC firmware.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, but no EPSS value is available, making the exact likelihood of exploitation uncertain. The flaw is not listed in the CISA KEV catalog, suggesting no known public exploits at the time of this analysis. The likely attack vector involves an external network attacker sending malicious SMTP protocol traffic to the BMC to trigger the command injection.

Generated by OpenCVE AI on June 4, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or firmware update for the BMC SMTP service as detailed in the Supermicro security advisory at https://www.supermicro.com/en/support/security_BMC_IPMI_Jun_2026
  • If a patch is not immediately available, disable the SMTP service on the BMC or block inbound SMTP traffic to the BMC from untrusted networks using firewall rules
  • Configure the BMC to enforce strict authentication before accepting any SMTP configuration commands and monitor SMTP logs for anomalous activity

Generated by OpenCVE AI on June 4, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Smci
Smci as-2115hs-tnr
Vendors & Products Smci
Smci as-2115hs-tnr

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description There is a vulnerability in the Supermicro BMC SMTP service at Supermicro AS-2115HS-TNR.  An attacker may obtain administrator privileges and inject specially crafted characters into the SMTP service configuration. This may cause the underlying system to execute unintended commands during process invocation. Potential impact includes denial-of-service attacks, arbitrary code execution, or permanent compromise of the controller.
Title Supermicro BMC's SMTP service contains a command injection vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Smci As-2115hs-tnr
cve-icon MITRE

Status: PUBLISHED

Assigner: Supermicro

Published:

Updated: 2026-06-05T03:55:50.915Z

Reserved: 2026-03-09T02:52:12.355Z

Link: CVE-2026-3820

cve-icon Vulnrichment

Updated: 2026-06-04T12:45:53.461Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T09:16:28.980

Modified: 2026-06-04T16:40:28.363

Link: CVE-2026-3820

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:08:41Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')