Advisory ID: RBK-V-20251003-0056
Severity: High
CVE:CVE-2025-7937, CVE-2025-6198
Customer action: Upgrade impacted Rubrik clusters to CDM 9.4.2-p1, 9.3.3-p4, or 9.2.3-p10 (or later)
Summary
Rubrik is aware of recently disclosed vulnerabilities affecting Supermicro Baseboard Management Controller (BMC) firmware and has confirmed that Rubrik customers deployed with select r6000 and/or R7000 hardware clusters are affected. All impacted customers must upgrade to CDM 9.4.2-p1, 9.3.3-p4, and 9.2.3-p10 (or later) and then install the included BMC firmware update to remediate the vulnerability as soon as possible.
Description of issue
Supermicro recently disclosed security vulnerabilities affecting the BMC firmware running on select Supermicro motherboards, which may allow an attacker to bypass the cryptographic image authentication process during firmware updates. The vulnerability could permit unauthorized firmware installation, resulting in persistent malware implantation, remote control of management functions, and potential data exfiltration.
Am I affected?
Rubrik has confirmed that the BMC firmware running on the following Rubrik hardware is affected by this vulnerability and is proactively notifying impacted customers with guidance.
Impacted Rubrik hardware:
r6000 nodes with Intel Xeon E5-2630 CPU
R7000 nodes (all)
Rubrik hardware not impacted:
r6000 nodes with Intel Xeon Silver 4210 CPU
E1000 nodes (all)
Note: Run the cluster hw_health command on each r6000 series node to confirm the CPU type.
Required actions
While Rubrik is not aware of any customers being exploited using these vulnerabilities, we strongly recommend that all customers immediately perform the following actions. Both steps are required. After completing both steps the Supermicro Baseboard Management Controller (BMC) firmware vulnerability will be fully remediated and the previously recommended IPMI access mitigation steps can be reverted as needed.
1. Upgrade your CDM clusters to 9.4.2-p1, 9.3.3-p4, or 9.2.3-p10 (or later):
Use Rubrik Security Cloud (RSC) to verify the CDM version running on your clusters and perform upgrades.
From the upper-right corner, click the Apps icon, select Settings, and then select CDM Software Upgrades under the Clusters section.
Note: Upgrading to 9.4.2-p1, 9.3.3-p4, or 9.2.3-p10 (or later) also remediates the CDM CLI command injection vulnerability (RBK-V-20251120-0057).
2. Install the BMC firmware update:
Run the cluster update_firmware full_cluster command after completing the CDM upgrade.
The full_cluster parameter sequentially updates the BMC firmware on all applicable nodes in the cluster.
Nodes automatically reboot upon completion of the rolling BMC firmware update.
Use cluster update_firmware status to verify the firmware update status.
Note: r6000 nodes with Intel Xeon E5-2630 CPU will be updated to BMC version 14.09, R7000 nodes will be updated to BMC version 11.05.12.
Additional information: Customers should continue referencing this announcement for the latest updates. For additional questions, open a case with Rubrik Support using one of the following methods.
Web: Create a new case on the Rubrik Support Portal
Phone: +1 800-997-5896 (United States), +1 800-920-9354 (International), +1 800-459-8390 (US Federal), and all other locations
Document change control and status updates
December 4, 2025: Added the updated BMC version information to the required actions section for post-remediation validation
December 2, 2025: Updated to note that IPMI access mitigations previously applied can be reverted as needed after completing required remediation actions
November 26, 2025: Updated to include required actions to fully remediate the vulnerability
November 3, 2025: Updated tentative CDM patch release timeline to the end of November 2025 from October 2025 due to additional effort for patch verification, testing, and qualfication with Supermicro
October 10, 2025: Updated recommended actions to include more specific guidance w/ instructions
October 3, 2025: First publication of Security Advisory RBK-V-20251003-0056
