On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.
Conclusion & alert: CVE-2019-16649 is rated Moderate Risk (60.2/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 0.92%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.10% | 0.92% | +0.82% |
| 2 | 2025-03-17 | 0.26% | 0.10% | -0.16% |
| 3 | 2025-02-11 | — | 0.26% | — |
Full EPSS history (10 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 10.0 | 3.1 | CRITICAL |
|
3.9 | 6.0 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| supermicro | x11dai-n_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dai-n_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dac_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dac_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dph-tq_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dph-tq_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dph-i_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dph-i_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dph-t_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dph-t_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dps-re_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dps-re_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dsf-e_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dsf-e_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dsn-ts_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dsn-ts_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dsn-tsq_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dsn-tsq_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dsc\+_firmware | 1.74 | cpe:2.3:o:supermicro:x11dsc\+_firmware:1.74:*:*:*:*:*:*:* |
| supermicro | x11ddw-nt_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11ddw-nt_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11ddw-l_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11ddw-l_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dgq_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dgq_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpff-sn_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpff-sn_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpfr-sn_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpfr-sn_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpfr-s_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpfr-s_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpt-ps_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpt-ps_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpt-b_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpt-b_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpt-bh_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpt-bh_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpt-l_firmware | 3.74 | cpe:2.3:o:supermicro:x11dpt-l_firmware:3.74:*:*:*:*:*:*:* |
| supermicro | x11dpu_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpu_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpu-v_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpu-v_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpu-x_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpu-x_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpu-xll_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpu-xll_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpu-z\+_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpu-z\+_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpu-ze\+_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpu-ze\+_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpg-sn_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpg-sn_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpg-qt_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpg-qt_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpg-ot-cpu_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpg-ot-cpu_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpi-nt_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpi-nt_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpi-n_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpi-n_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpl-i_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpl-i_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dpx-t_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dpx-t_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11dgo-t_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11dgo-t_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11sca_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11sca_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11sca-f_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11sca-f_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11sch-f_firmware | 1.23.2 | cpe:2.3:o:supermicro:x11sch-f_firmware:1.23.2:*:*:*:*:*:*:* |
| supermicro | x11sch-ln4f_firmware | 1.23.2 | cpe:2.3:o:supermicro:x11sch-ln4f_firmware:1.23.2:*:*:*:*:*:*:* |
| supermicro | x11sca-w_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11sca-w_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11scl-f_firmware | 1.23.2 | cpe:2.3:o:supermicro:x11scl-f_firmware:1.23.2:*:*:*:*:*:*:* |
| supermicro | x11scl-ln4f_firmware | 1.23.2 | cpe:2.3:o:supermicro:x11scl-ln4f_firmware:1.23.2:*:*:*:*:*:*:* |
| supermicro | x11scl-if_firmware | 1.23.2 | cpe:2.3:o:supermicro:x11scl-if_firmware:1.23.2:*:*:*:*:*:*:* |
| supermicro | x11scm-f_firmware | 1.23.2 | cpe:2.3:o:supermicro:x11scm-f_firmware:1.23.2:*:*:*:*:*:*:* |
| supermicro | x11scm-ln8f_firmware | 1.23.2 | cpe:2.3:o:supermicro:x11scm-ln8f_firmware:1.23.2:*:*:*:*:*:*:* |
| supermicro | x11scw-f_firmware | 3.75.00 | cpe:2.3:o:supermicro:x11scw-f_firmware:3.75.00:*:*:*:*:*:*:* |
| supermicro | x11spa-t_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11spa-t_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11spa-tf_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11spa-tf_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11spi-tf_firmware | 1.71.6 | cpe:2.3:o:supermicro:x11spi-tf_firmware:1.71.6:*:*:*:*:*:*:* |
| supermicro | x11spl-f_firmware | 1.71.6 | cpe:2.3:o:supermicro:x11spl-f_firmware:1.71.6:*:*:*:*:*:*:* |
| supermicro | x11spm-f_firmware | 1.71.6 | cpe:2.3:o:supermicro:x11spm-f_firmware:1.71.6:*:*:*:*:*:*:* |
| supermicro | x11spm-tf_firmware | 1.71.6 | cpe:2.3:o:supermicro:x11spm-tf_firmware:1.71.6:*:*:*:*:*:*:* |
| supermicro | x11spm-tpf_firmware | 1.71.6 | cpe:2.3:o:supermicro:x11spm-tpf_firmware:1.71.6:*:*:*:*:*:*:* |
| supermicro | x11sph-nctf_firmware | 1.71.6 | cpe:2.3:o:supermicro:x11sph-nctf_firmware:1.71.6:*:*:*:*:*:*:* |
| supermicro | x11sph-nctpf_firmware | 1.71.6 | cpe:2.3:o:supermicro:x11sph-nctpf_firmware:1.71.6:*:*:*:*:*:*:* |
| supermicro | x11spw-tf_firmware | 1.71.6 | cpe:2.3:o:supermicro:x11spw-tf_firmware:1.71.6:*:*:*:*:*:*:* |
| supermicro | x11spw-ctf_firmware | 1.71.6 | cpe:2.3:o:supermicro:x11spw-ctf_firmware:1.71.6:*:*:*:*:*:*:* |
| supermicro | x11spg-tf_firmware | 1.71.6 | cpe:2.3:o:supermicro:x11spg-tf_firmware:1.71.6:*:*:*:*:*:*:* |
| supermicro | x11sri-if_firmware | 3.75.00 | cpe:2.3:o:supermicro:x11sri-if_firmware:3.75.00:*:*:*:*:*:*:* |
| supermicro | x11srl-f_firmware | 3.74.2 | cpe:2.3:o:supermicro:x11srl-f_firmware:3.74.2:*:*:*:*:*:*:* |
| supermicro | x11srm-f_firmware | 1.31.1 | cpe:2.3:o:supermicro:x11srm-f_firmware:1.31.1:*:*:*:*:*:*:* |
| supermicro | x11srm-vf_firmware | 1.31.1 | cpe:2.3:o:supermicro:x11srm-vf_firmware:1.31.1:*:*:*:*:*:*:* |
| supermicro | x11ssl-f_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssl-f_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssm-f_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssm-f_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssl_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssl_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssm_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssm_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssh-f_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssh-f_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssh-ln4f_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssh-ln4f_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssw-4tf_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssw-4tf_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssw-tf_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssw-tf_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssw-f_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11ssw-f_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11ssi-ln4f_firmware | 1.71.5 | cpe:2.3:o:supermicro:x11ssi-ln4f_firmware:1.71.5:*:*:*:*:*:*:* |
| supermicro | x11ssw-f_firmware | 3.85.00 | cpe:2.3:o:supermicro:x11ssw-f_firmware:3.85.00:*:*:*:*:*:*:* |
| supermicro | x11ssh-tf_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssh-tf_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssh-ctf_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssh-ctf_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssl-cf_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssl-cf_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssl-nf_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssl-nf_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssh-gf-1585_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssh-gf-1585_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssh-gf-1585l_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssh-gf-1585l_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssh-gtf-1585_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssh-gtf-1585_firmware:1.56:*:*:*:*:*:*:* |
| supermicro | x11ssh-gtf-1585l_firmware | 1.56 | cpe:2.3:o:supermicro:x11ssh-gtf-1585l_firmware:1.56:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack/ | Third Party Advisory |
| https://github.com/eclypsium/USBAnywhere | Third Party Advisory |
| https://www.supermicro.com/support/security_BMC_virtual_media.cfm | Vendor Advisory |