CVE-2023-35861
CRITICALSupermicro H12DST-B Firmware < 03.10.35 - Unauthenticated OS Command Injection via Email Notification
Title source: llmDescription
A shell-injection vulnerability in email notifications on Supermicro motherboards (such as H12DST-B before 03.10.35) allows remote attackers to inject execute arbitrary commands as root on the BMC.
References (3)
Core 3
Core References
Exploit, Third Party Advisory
https://blog.freax13.de/cve/cve-2023-35861
Vendor Advisory
https://www.supermicro.com/en/support/security_SMTP_Jun_2023
Scores
CVSS v3
9.8
EPSS
0.0154
EPSS Percentile
71.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (50)
supermicro/h12dgo-6_firmware
supermicro/h12dgq-nt6_firmware
supermicro/h12dsg-o-cpu_firmware
supermicro/h12dsg-q-cpu6_firmware
supermicro/h12dsi-n6_firmware
supermicro/h12dsi-nt6_firmware
supermicro/h12dst-b_firmware
supermicro/h12dst-b_firmware
< 03.10.35
supermicro/h12dsu-in_firmware
supermicro/h12dsu-inr_firmware
... and 40 more
Published
Jul 31, 2023
Tracked Since
Feb 18, 2026