ASUS BMC's firmware: buffer overflow - SMTP configuration function
Description
The SMTP configuration function in ASUS BMC’s firmware Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. As obtaining the privileged permission, remote attackers use the leakage to abnormally terminate the Web service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ASUS BMC firmware's SMTP config function lacks input length validation, causing a buffer overflow that can crash the web service under privileged remote access.
Vulnerability
The SMTP configuration function in ASUS BMC’s Web management page does not verify the string length entered by users, resulting in a Buffer overflow vulnerability. This flaw resides in the firmware of multiple ASUS server models (Z10PR-D16, ASMB8-iKVM, Z10PE-D16 WS) versions 1.14.51, 1.14.51, and 1.14.2 respectively [1]. An attacker with administrative privilege can trigger the overflow by supplying an overly long input string to the SMTP settings field, leading to abnormal termination of the Web service.
Exploitation
To exploit this vulnerability, the attacker must first obtain privileged remote access to the BMC Web management interface. With that access, they navigate to the SMTP configuration page and submit a string that exceeds the buffer capacity. No user interaction or race condition is required; the overflow occurs immediately upon submission. The network position can be remote, as the BMC interface is typically exposed over the network [1].
Impact
On successful exploitation, the Web service crashes, resulting in a denial-of-service condition. The impact is limited to availability (C:N/I:N/A:H) per the CVSS score [1]. No data disclosure or remote code execution is reported; the overflow only disrupts the service.
Mitigation
ASUS has released firmware updates to address this vulnerability: Z10PR-D16 to version 1.16.1, ASMB8-iKVM to version 1.16.1, and Z10PE-D16 WS to version 1.16.1 [1]. Users should update their BMC firmware to these patched versions. No workarounds are documented; the fix is the sole mitigation.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- ASUS/BMC firmware for ASMB8-iKVMv5Range: 1.14.51
- ASUS/BMC firmware for Z10PE-D16 WSv5Range: 1.14.2
- ASUS/BMC firmware for Z10PR-D16v5Range: 1.14.51
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.asus.com/content/ASUS-Product-Security-Advisory/mitrex_refsource_MISC
- www.asus.com/tw/support/callus/mitrex_refsource_MISC
- www.twcert.org.tw/tw/cp-132-4559-ad2b5-1.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.