CVE-2023-33411: A web server in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC)...
A web server in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC) implementation on Supermicro X11 and M11 based devices, with firmware versions up to 3.17.02, allows remote unauthenticated users to perform directory traversal, potentially disclosing sensitive information.
Security readout for executives and security teams
CVE-2023-33411 affects the web server in Supermicro IPMI/BMC management controllers on X11 and M11 based devices with firmware up to 3.17.02. A remote unauthenticated user may use directory traversal to disclose sensitive information. This is important because BMCs manage servers at a privileged hardware level. Organizations using Supermicro X11 or M11 based systems with BMC firmware up to 3.17.02 may be exposed, especially if the BMC web interface is reachable from untrusted networks. Prioritize remediation for internet-facing or broadly reachable BMC interfaces. Compromise or information exposure through management controllers can materially increase risk to server operations and incident response. Mitigation focus: Review Supermicro’s December 2023 BMC security advisory for affected models and firmware guidance.; Update BMC firmware according to Supermicro’s official instructions.; Restrict IPMI/BMC access to dedicated management networks or VPNs..
Prepared
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
description · low confidence lookup
File access behavior lookup
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.