CVE-2019-16649
CVE-2019-16649 is a critical-severity vulnerability in Supermicro X11dai-n Firmware with a CVSS 3.x base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-287.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- CVSS v2: 5.0
- EPSS exploit prediction: 1% (56th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-287
- Affected product: Supermicro X11dai-n Firmware
- Published:
- Last modified:
Description
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.
Frequently asked questions
- What is CVE-2019-16649?
- On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.
- How severe is CVE-2019-16649?
- CVE-2019-16649 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-16649 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (56th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2019-16649?
- CVE-2019-16649 primarily affects Supermicro X11dai-n Firmware. In total, 337 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-16649?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2019-16649 published?
- CVE-2019-16649 was published on 2019-09-21 and last updated on 2026-06-17.
References
- https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack/
- https://github.com/eclypsium/USBAnywhere
- https://www.supermicro.com/support/security_BMC_virtual_media.cfm
Affected products (337)
- cpe:2.3:o:supermicro:x11dai-n_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dac_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dph-tq_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dph-i_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dph-t_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dps-re_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dsf-e_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dsn-ts_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dsn-tsq_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dsc\+_firmware:1.74:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11ddw-nt_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11ddw-l_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dgq_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpff-sn_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpfr-sn_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpfr-s_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpt-ps_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpt-b_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpt-bh_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpt-l_firmware:3.74:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpu_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpu-v_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpu-x_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpu-xll_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpu-z\+_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpu-ze\+_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpg-sn_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpg-qt_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpg-ot-cpu_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpi-nt_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpi-n_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpl-i_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dpx-t_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11dgo-t_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11sca_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11sca-f_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11sch-f_firmware:1.23.2:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11sch-ln4f_firmware:1.23.2:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11sca-w_firmware:1.71.5:*:*:*:*:*:*:*
- cpe:2.3:o:supermicro:x11scl-f_firmware:1.23.2:*:*:*:*:*:*:*
More vulnerabilities in Supermicro X11dai-n Firmware
- CVE-2019-16650 — Critical (CVSS 10.0): On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later…
- CVE-2023-33413 — High (CVSS 8.8): The configuration functionality in the Intelligent Platform Management Interface (IPMI) baseboard management controller…
- CVE-2023-33412 — High (CVSS 8.8): The web interface in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC)…
- CVE-2023-34853 — High (CVSS 7.8): Buffer Overflow vulnerability in Supermicro motherboard X12DPG-QR 1.4b allows local attackers to hijack control flow…
- CVE-2023-33411 — High (CVSS 7.5): A web server in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC)…
- CVE-2022-43309 — Medium (CVSS 5.5): Supermicro X11SSL-CF HW Rev 1.01, BMC firmware v1.63 was discovered to contain insecure permissions.
All CVEs affecting Supermicro X11dai-n Firmware →
Other CWE-287 (Improper Authentication) vulnerabilities
- CVE-2026-45480 — Critical (CVSS 10.0): Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-46389 — Critical (CVSS 10.0): UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS…
- CVE-2026-10611 — Critical (CVSS 10.0): An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement.…
- CVE-2026-47280 — Critical (CVSS 10.0): Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-42822 — Critical (CVSS 10.0): Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges…
- CVE-2026-20182 — Critical (CVSS 10.0): May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and…
Browse all CWE-287 (Improper Authentication) vulnerabilities →