CVE-2023-33412: The web interface in the Intelligent Platform Management Interface (IPMI) baseboard management controller (...
The web interface in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC) implementation on Supermicro X11 and M11 based devices, with firmware versions before 3.17.02, allows remote authenticated users to execute arbitrary commands via a crafted request targeting vulnerable cgi endpoints.
Security readout for executives and security teams
This vulnerability lets a logged-in remote user run arbitrary commands through the Supermicro BMC/IPMI web interface on affected X11 and M11 devices. BMC compromise is serious because it can affect server control below the operating system. The bundle does not provide CVSS scoring. Exposure is most likely where Supermicro X11 or M11 BMC web interfaces are reachable by administrators, management networks, VPN users, or any broader network with valid credentials. Prioritize remediation for exposed or broadly reachable BMC interfaces. Even with authentication required, command execution on server management controllers can create high operational risk if credentials are compromised or access controls are weak. Mitigation focus: Identify Supermicro X11 and M11 systems with BMC firmware before 3.17.02.; Update affected BMC firmware to 3.17.02 or later per Supermicro guidance.; Restrict BMC/IPMI web access to trusted management networks only..
Prepared
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-33412 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
2Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Dec 7, 2023, 00:00 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.