CVE-2025-65002: Fujitsu iRMC S6 Auth Bypass Vulnerability

CVE-2025-65002 Overview

CVE-2025-65002 affects Fujitsu and Fsas Technologies iRMC S6 firmware running on M5 generation servers before version 1.37S. The integrated Remote Management Controller mishandles Redfish and WebUI access decisions when the authenticated username has a length of exactly 16 characters. An attacker holding low-privilege credentials can leverage this boundary condition to bypass intended authorization checks on the management interface. The flaw is classified under [CWE-863] Incorrect Authorization and impacts the confidentiality, integrity, and availability of the baseboard management controller.

Critical Impact

An authenticated attacker with a 16-character username can bypass authorization controls on the iRMC S6 Redfish API and WebUI, gaining unintended access to server management functions.

Affected Products

• Fujitsu iRMC S6 firmware on M5 generation servers before 1.37S
• Fsas Technologies iRMC S6 firmware on M5 generation servers before 1.37S
• Redfish API and WebUI management interfaces exposed by the affected firmware

Discovery Timeline

• 2025-11-12 - CVE-2025-65002 published to the National Vulnerability Database
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-65002

Vulnerability Analysis

The iRMC S6 is the baseboard management controller (BMC) embedded in Fujitsu PRIMERGY M5 servers. It exposes a Redfish REST API and a web-based user interface for out-of-band server management. Operators authenticate to these interfaces with local or directory-sourced accounts before issuing privileged hardware operations.

The vulnerability lies in how the controller evaluates access control decisions tied to the authenticated principal. When the supplied username is exactly 16 characters long, the firmware mishandles the request path used by Redfish and the WebUI. The result is an authorization decision that does not match the intended privilege level of the account.

Exploitation requires network reach to the management interface and valid credentials, which limits opportunistic abuse. However, BMCs frequently sit on management VLANs shared by administrators, vendors, and automation accounts, making low-privilege footholds realistic. Successful exploitation grants access to management operations such as virtual media, power control, firmware updates, and configuration changes.

Root Cause

The defect is an incorrect authorization condition [CWE-863] keyed on username length. A boundary value of 16 characters triggers logic that fails to enforce the access policy applied to other username lengths. This is consistent with a fixed-size buffer or off-by-one comparison in the identity handling code path shared by Redfish and the WebUI.

Attack Vector

The attack vector is network-based against the iRMC management interface. An attacker authenticates with a low-privilege account whose username is exactly 16 characters and then issues Redfish API calls or WebUI requests that should be denied. The mishandled length check causes the controller to grant access that the account does not legitimately hold.

No verified proof-of-concept code is publicly available. Refer to the Fujitsu Security Notice FTI-ISS-2025-082610 for vendor-supplied technical detail.

Detection Methods for CVE-2025-65002

Indicators of Compromise

• Successful Redfish or WebUI requests from accounts whose username length is exactly 16 characters that touch privileged endpoints such as /redfish/v1/Managers/ or /redfish/v1/Systems/.
• iRMC audit log entries showing configuration, firmware, or power-state changes performed by accounts that should lack those permissions.
• Unexpected virtual media mounts, BIOS setting changes, or new local iRMC accounts created outside change windows.

Detection Strategies

• Inventory all iRMC S6 local and directory accounts and flag any whose username is exactly 16 characters for review and rotation.
• Compare Redfish access logs against the documented role assignments to identify operations performed beyond an account's intended scope.
• Monitor for repeated authentication from the same 16-character account against the Redfish endpoint, especially from non-administrative source IPs.

Monitoring Recommendations

• Forward iRMC syslog and Redfish audit events to a centralized logging platform and alert on privileged operations executed by non-administrative accounts.
• Baseline normal BMC traffic on the management VLAN and alert on connections from systems outside the approved administrator subnet.
• Track firmware versions across the fleet and alert when an iRMC S6 running below 1.37S appears on the network.

How to Mitigate CVE-2025-65002

Immediate Actions Required

• Upgrade iRMC S6 firmware on all affected M5 servers to version 1.37S or later as published by Fujitsu / Fsas Technologies.
• Audit existing iRMC accounts and rename or remove any local or directory accounts whose username length is exactly 16 characters until firmware is updated.
• Restrict Redfish and WebUI exposure to a dedicated, access-controlled management network and block reachability from general user segments.

Patch Information

Fujitsu and Fsas Technologies address the issue in iRMC S6 firmware version 1.37S for M5 generation servers. Apply the updated firmware image distributed through the standard Fujitsu support channels. Full vendor guidance is documented in the Fujitsu Security Notice FTI-ISS-2025-082610.

Workarounds

• Enforce a username policy that prohibits 16-character usernames on iRMC S6 accounts pending firmware deployment.
• Place the iRMC management interface behind a jump host or VPN that enforces multi-factor authentication and source-IP restrictions.
• Disable unused management protocols on the iRMC and limit Redfish access to a defined administrator allowlist where the firmware supports it.

# Example: verify the running iRMC firmware version via Redfish before and after patching
curl -k -u "<admin_user>:<admin_password>" \
  https://<irmc_host>/redfish/v1/Managers/iRMC/ \
  | jq '.FirmwareVersion'