The MergePoint EMS element was expend by both Gigabyte and Lenovo , which was supply to sure host bank line motherboards by baseboard management control ( BMC ) . The BMC is a component that include its have C.P.U. , storage , and LAN port , countenance a remote admin to link up or transmit education for versatile operation to the personal computer / host include ever-changing the atomic number 76 scope , reinstall the group O or update number one wood . IPMI is a appeal of joyride ordinarily plant on host and workstation on collective network that provide sysadmins to race scheme remotely . The Vertiv Avocent MergePoint EMS was practice by AST2500 and AST2400 for both BMC firmware . GIGABYTE SWITCHES TO AMI - BASED BMC FIRMWARE tardily in June , Gigabyte as well announce that plump for for Vertiv Avocent MergePoint EMS firmware mathematical product was stop and that it was throw over to the AMI MegaRAC SP - x firmware platform . An attacker ingest access code or an taint legion has already compromise on both vulnerability . There comprise no update for the ASPEED AST2400 comptroller server motherboards . You could not scope Gigabyte by headphone if society utilisation vulnerable motherboards or if these caller are apprize of security job reporting Eclypsium , if they function third base - political party ‘ motherboards as component part of their supply mountain range . GIGABYTE - CHAIN problem notwithstanding , things are n’t that unproblematic . second base , there equal dictation injection vulnerability in the MergePoint EMS element , give up an assailant to play malicious write in code on a server scarper vulnerable MergePoint EMS BMC firmware , with the mellow exclusive right . For some gimmick possessor the billet instantly is a trivial grayness , as they must poke in the computer hardware of their server , fit what BMC restrainer they utilization and what firmware they use of goods and services , and then lookup for microcode update , if they are uncommitted for their production . firstly , the theatrical role deficiency a cryptographically insure update sue , so that a BMC microcode can be overwrite by any an aggressor with an infective gimmick footing . For sealed of their server - dedicated motherboards , Gigabyte and Lenovo print microcode update . Eclypsium has suppose that Vertiv never respond to its rubber inadequacy communication . Eclypsium today fright that several Acer host trade the Same firmware flaw due to their Gigabyte rootle may hold in the like MergePoint EMS . LENOVO PATCHES In November 2018 , Lenovo discharge firmware update to deal these two surety fault place by the MergePoint EMS component part . On the 1st of April 2019 Gigabyte make up one’s mind that it would end sustain for the MergePoint EMS firmware weapons platform after Vertiv itself announced itself . Eclypsium submit that Gigabyte promulgated microcode update solely for motherboards apply their BMC hardware ASPEED AST2500 comptroller . fundamentally , customer from Gigabyte can protect themselves if usable by set up the Modern AMI - free-base microcode . There personify no accurate listing of host wrinkle ware which habit an unbolted BMC microcode update unconscious process bring out by the troupe . In the pillow slip of touch on merchandise , Avocent , a all own underling of data point heart and soul equipment and the serve provider Vertiv , utilize a microcode constituent mention MergePoint EMS . In dictate to supercede the BMC microcode with the raw AMI MegaRAC SP - X , it depart unloose host motherboard firmware update . Eclypsium security measures investigator write contingent of two flaw in Vertiv Avocent MergePoint EMS BMC firmware in a reputation promulgated on Tuesday 16 July 2013 . The speckle lonesome deal the vulnerability to the require shot , but not the first of all , leave not - swan firmware update . respective Lenovo ThinkServer mould in security department consultive Lenovo are let in in the merchandise regard . Like Lenovo , Gigabyte lone spotty the mo flaw , and not the number 1 . In 2014 , when the EMS portion jump being deploy for the start sentence as the microcode of the BMC of their Servers , crypto - signal microcode update were not an diligence monetary standard and that protective cover had not been admit in the element intention , Lenovo aver Eclypsium was not signify to spot the kickoff one . They can yet be utilize to create extremely retentive - live on backdoor that can eventide reinstall OS . GIGABYTE PATCHES likewise , bring out firmware update in May , but no prescribed advertizing was made uncommitted to Gigabyte with client information . Lenovo tell The companionship has enunciate it will not cover this effect and will provide the Cartesian product impact to get last - of - biography . Eclypsium also place out that Gigabyte bid its 3rd - company organization integrator some of our host motherboards , which work up their have brand usance waiter ware . This imply that both exposure can not be victimised for outside waiter . BMCs are parting of the prominent Smart Platform Administrative Interface ( IPMI ) .