CVE-2026-3820

Supermicro BMC's SMTP service contains a command injection vulnerability

CVSS 7.2 HIGHEPSS 0.4%CWE-78

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.2EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

04 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

There is a vulnerability in the Supermicro BMC SMTP service at Supermicro AS-2115HS-TNR. An attacker may obtain administrator privileges and inject specially crafted characters into the SMTP service configuration. This may cause the underlying system to execute unintended commands during process invocation. Potential impact includes denial-of-service attacks, arbitrary code execution, or permanent compromise of the controller.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products

SMCI · AS-2115HS-TNR

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.supermicro.com/en/support/security_BMC_IPMI_Jun_2026