cbcvebase.
CVE-2024-36435
published 2024-07-11

CVE-2024-36435: An issue was discovered on Supermicro BMC firmware in select X11, X12, H12, B12, X13, H13, and B13 motherboards (and CMM6 modules). An unauthenticated user can…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.29%
66.7th percentile
An issue was discovered on Supermicro BMC firmware in select X11, X12, H12, B12, X13, H13, and B13 motherboards (and CMM6 modules). An unauthenticated user can post crafted data to the interface that triggers a stack buffer overflow, and may lead to arbitrary remote code execution on a BMC.

Detection & IOCsextracted from sources · hover to see the quote

url/cgi/login.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Supermicro BMC IPMI Buffer Overflow (CVE-2024-36435)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi/login.cgi"; fast_pattern; startswith; http.request_body; content:"name|3d|"; pcre:"/^[^&]{64,}/R"; content:"pwd|3d|"; content:"check|3d|"; reference:cve,2024-36435; classtype:web-application-attack; sid:2056366; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_10_01, cve CVE_2024_36435, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
name|3d|<64+ bytes>&pwd|3d|&check|3d|
  • Exploit arrives as an HTTP POST request to /cgi/login.cgi on the BMC's web interface. The attack is unauthenticated.
  • The overflow is triggered via the 'name' POST body parameter — look for a 'name' field value exceeding 64 characters (no '&' delimiter) in the request body to /cgi/login.cgi.
  • Detection should be applied at the perimeter and internally, including on TLS-decrypted traffic (SSLDecrypt deployment). The Snort/Suricata SID for this rule is 2056366.
  • MITRE ATT&CK mapping: Tactic TA0001 (Initial Access), Technique T1190 (Exploit Public-Facing Application). Target is the destination IP (BMC server).
  • ·Affected platforms are limited to select Supermicro motherboard families and CMM6 modules. Verify target hardware before triaging alerts.
  • ·The Snort/Suricata rule requires TLS inspection (SSLDecrypt) to detect exploitation over HTTPS. Without TLS decryption, the rule will only fire on plaintext HTTP traffic.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.