CVE-2019-16649

CVE-2019-16649 is a critical-severity vulnerability in Supermicro X11dai-n Firmware with a CVSS 3.x base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-287.

Key facts

Description

On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.

Frequently asked questions

What is CVE-2019-16649?
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.
How severe is CVE-2019-16649?
CVE-2019-16649 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-16649 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (56th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2019-16649?
CVE-2019-16649 primarily affects Supermicro X11dai-n Firmware. In total, 337 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2019-16649?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
When was CVE-2019-16649 published?
CVE-2019-16649 was published on 2019-09-21 and last updated on 2026-06-17.

References

Affected products (337)

More vulnerabilities in Supermicro X11dai-n Firmware

All CVEs affecting Supermicro X11dai-n Firmware →

Other CWE-287 (Improper Authentication) vulnerabilities

Browse all CWE-287 (Improper Authentication) vulnerabilities →