How is CVE-2026-3820 exploited?

Network reachability (required): The BMC SMTP service is exposed over the network, so the attacker must be able to reach the management interface remotely. Authentication (required): Administrator-level credentials are required; the attacker must already hold or obtain a privileged account on the BMC before injecting commands. Victim interaction (not-required): No user interaction is needed; the attacker operates entirely against the service configuration interface without involving another person. Attack complexity (info): Attack complexity is low, meaning the exploit is straightforward and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-3820?

The attacker executes arbitrary OS commands on the BMC, gaining full control over the controller and all management functions it exposes. Confidential BMC configuration data, credentials, and out-of-band management secrets stored on the controller are read directly. Persistent modification of BMC firmware or configuration is possible, surviving host OS reboots and standard remediation steps. The BMC service can be crashed or rendered permanently unresponsive, eliminating out-of-band management access to the physical host.

Back to search

HIGHCVE-2026-3820Published 2026-06-04Modified 2026-06-04CNA Supermicro

CVE-2026-3820: Supermicro BMC's SMTP service contains a command injection vulnerability

There is a vulnerability in the Supermicro BMC SMTP service at Supermicro AS-2115HS-TNR. An attacker may obtain administrator privileges and inject specially crafted characters into the SMTP service configuration. This may cause the underlying system to execute unintended commands during process invocation. Potential impact includes denial-of-service attacks, arbitrary code execution, or permanent compromise of the controller.

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A command injection vulnerability affects the SMTP service in the Supermicro BMC (Baseboard Management Controller) on the AS-2115HS-TNR platform. An attacker with administrator-level credentials can reach the service over the network and inject specially crafted characters into the SMTP configuration, causing the BMC to execute unintended OS commands during process invocation. Successful exploitation enables full compromise of the controller, arbitrary code execution, and denial of service. No upstream fix has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment Supermicro releases a remediated firmware version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-3820 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Supermicro BMC firmware layers.

Available

Triage

HarborGuard scores this CVE at CVSS 7.2 HIGH (v3.1) and can weight that score against each customer environment's compliance policy to determine urgency and route findings to the appropriate team inbox within that organization.

Available

Patch

Because no fix version has been published by Supermicro, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream remediated version is released. In the interim, the advisory remains open and visible in each customer's finding queue so compensating controls can be applied.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The BMC SMTP service is exposed over the network, so the attacker must be able to reach the management interface remotely.
AuthenticationRequired
Administrator-level credentials are required; the attacker must already hold or obtain a privileged account on the BMC before injecting commands.
Victim interactionNot required
No user interaction is needed; the attacker operates entirely against the service configuration interface without involving another person.
Attack complexityDetail
Attack complexity is low, meaning the exploit is straightforward and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

The attacker executes arbitrary OS commands on the BMC, gaining full control over the controller and all management functions it exposes.
Confidential BMC configuration data, credentials, and out-of-band management secrets stored on the controller are read directly.
Persistent modification of BMC firmware or configuration is possible, surviving host OS reboots and standard remediation steps.
The BMC service can be crashed or rendered permanently unresponsive, eliminating out-of-band management access to the physical host.

How HarborGuard Handles This

Available on HarborGuard: because Supermicro has not yet published a fix for CVE-2026-3820, the advisory is monitored on every ingest cycle and a patched-image rebuild will become available automatically the moment a remediated firmware version is released upstream. Until then, customers can apply compensating controls surfaced through HarborGuard findings: restricting network-policy access to BMC management interfaces so only trusted jump hosts can reach the SMTP configuration endpoint, enabling egress filtering on BMC management VLANs, and reviewing whether any pipeline images bundle this firmware version under affected builds 01.08.01 or 01.06.04. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically once an upstream fix is available, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes in those environments.

See how HarborGuard automates this

Affected packages

SMCI / AS-2115HS-TNR
01.08.01 · 01.06.04

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

supermicro.com

Metrics

Get notified