Supermicro BMC's SMTP service contains a command injection vulnerability
CVE-2026-3820

7.2HIGH

Key Information:

Vendor: Smci
Status: As-2115hs-tnr
Vendor: CVE Published:; 4 June 2026

What is CVE-2026-3820?

There is a vulnerability in the Supermicro BMC SMTP service at Supermicro AS-2115HS-TNR. An attacker may obtain administrator privileges and inject specially crafted characters into the SMTP service configuration. This may cause the underlying system to execute unintended commands during process invocation.

Potential impact includes denial-of-service attacks, arbitrary code execution, or permanent compromise of the controller.

Affected Version(s)

AS-2115HS-TNR BMC 01.08.01

AS-2115HS-TNR BMC 01.06.04

References

https://www.supermicro.com/en/support/security_BMC_IPMI_J...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Mar 9, 2026

Credit

Coreweave Red Team and Hoang Bui from Coreweave

CVE-2026-3820 Data

JSON

Smci

What is CVE-2026-3820?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit