A vulnerability found in the Baseboard Management Controller (BMC) component of IBM Cloud’s Bare Metal Server product could allow attackers to overwrite the firmware and then leverage the compromised firmware to attack future users of the product.

IBM has issued a firmware update to patch the flaw, which the company’s PSIRT team classified as low severity in a blog post published yesterday.

Bare metal servers are servers that are used exclusively at any one time by a single organization, as opposed to servers shared by multiple unaffiliated companies. IBM Cloud’s BMC component allows remote management of the bare metal server product for the purpose of provisioning, operating system reinstallation, and troubleshooting.

“On some system models offered by IBM Cloud and other cloud providers, a malicious attacker with access to the provisioned system could overwrite the firmware of the BMC. The system could then be returned to the hardware pool, where the compromised BMC firmware could then be used to attack the next user of the system,” reads the IBM alert.

“The BMC has limited processing power and memory, which makes these types of attacks difficult. IBM has found no indication that this vulnerability has been exploited for malicious purposes. In addition, all clients of IBM Cloud receive a private network for their BMCs, separate from the private networks containing other clients’ BMCs and unprovisioned BMCs.”

In response, IBM is “forcing all BMCs, including those that are already reporting up-to-date firmware, to be reflashed with factory firmware before they are re-provisioned to other customers,” the alert continues.

Researchers at Eclypsium say they reported the vulnerability to IBM back in September of 2018. The company disagrees with IBM’s low-severity classification, contending that it’s actually a critical severity based on CVSS 3.0 criteria. Eclypsium’s in-depth analysis of the vulnerability can be found here.