Join Us At Hacker Summer Camp

Lights Out: BMC's are Still Broken and Now We Have the Receipts

Wed, August 5 @ 3:35pm PDT (Oceanside A, Level 2)
lanyard-rope
lanyard-clip

Presented by:

HD Moore

Founder and CEO

Baseboard management controllers (BMCs) are embedded into every modern enterprise server. These devices run their own OS, have their own network interfaces, and are network-reachable even when the server is powered off. The devices speak a protocol called IPMI that was thoroughly trashed by Dan Farmer's ground-breaking research in 2013. Since Farmer's original research into Cipher Zero authentication bypass and RAKP password hash disclosure, dozens of new vulnerabilities have been identified in these devices, but none of this research revisits the IPMI protocol itself.

We scanned over 15,000 internet-exposed BMCs and 125,000 devices across corporate networks to see what changed. The answer: not enough.

Three out of four internet-facing IPMI hosts offer valid usernames and password hashes to any attacker on the network. Over 9,000 internal BMCs used default or common passwords. Although California's SB-327 law forced vendors to ship factory-randomized passwords, more devices than ever now retain their initial random password. These random passwords use constrained character sets that make offline cracking feasible with modern GPUs.

We document novel pre-authentication information leaks: Dell BMCs embed service tags resolvable via Dell's public support portal, HPE BMCs encode part IDs and serial numbers, and many exposed GUIDs contain MAC addresses and manufacturing timestamps.

BMC attacks are more common than ever, with high-profile cases of malicious firmware implants that provide persistent access, and open source toolkits for building custom firmwares for HP iLO and Supermicro IPMI boards. In June 2025, CISA added its first BMC exposure to its Known Exploited Vulnerabilities catalog.

A compromised BMC persists through OS reinstalls and disk replacement, and the bidirectional trust between BMC and host means compromising either side compromises both. This bidirectional trust undermines network segmentation.

As part of this research, we are releasing OOBscan, an open source IPMI auditing tool.


More great things from HD

Webcasts
Beyond the Zero-Day: Mapping the network attackers actually see
Breaches are inevitable. Learn from HD Moore how attackers exploit the seams between IT, IoT, and OT networks — and how to fix the segmentation...
Podcasts
Risky Biz Interview: Navigating the AI vibe shift with HD Moore
runZero Founder and CEO HD Moore drops by in this week's Risky Biz sponsor interview to talk about the concerning AI vibe shift and what to do...
Podcasts
OT asset exposures & mitigations
Rob King joins the Nexus Podcast to discuss the security risks and exposures introduced by digital transformation to operational technology...
Podcasts
runZero accidentally got good at OT (Risky Biz Interview)
HD Moore discusses the release of runZero v4.9, which introduces enhanced OT scanning, animated visualization maps, and a highly requested dark mode.

More Summer Camp Talks!

Book some 1:1 time

Meet with us during Summer Camp