Why not to buy and use Supermicro products in 2025
Published on 2025/03/31 by Igor Levicki
Supermicro is well known as a price-competitive Rack-Scale Total IT Solutions provider that designs and builds an environmentally-friendly and energy-saving portfolio of servers, storage systems, switches, and software, while also providing global support services.
However, in 2025, one major reason not to buy Supermicro products is their poor handling of BIOS updates, which are critical for security and system stability. Despite being an Intel Titanium Partner, Supermicro fails to deliver Intel CPU microcode updates on schedule and lacks the public transaprency (directly accessible changelogs) for the contents of their BIOS and BMC updates.
The Problem
BIOS and microcode updates are essential for fixing security vulnerabilities and improving system functionality. Intel regularly releases microcode updates to address security flaws and functional issues in their CPUs, and responsible vendors integrate these updates into BIOS releases as quickly as possible which is usually ahead of or in lock-step with the actual security advisories being published. Unfortunately, Supermicro has demonstrated a lack of urgency and transparency in this regard.
Timeline of events
2025-01-26 - I ask about the lack of BIOS with Intel CPU microcode update revision 2B000603 dated 2024-06-20.
2025-01-28 - Supermicro requests SKU and serial number for review.
2025-01-28 - I provide requested information.
2025-01-28 - Supermicro states they don't wait for customers to request updates and their engineering team determines update schedules.
2025-02-22 - Almost a month later without response, I bring up another Intel CPU microcode update revision 2C0003E0 dated 2024-07-30 along with relevant security advisories.
2025-02-24 - Supermicro acknowledges the issue and states they’ll check internally.
2025-02-27 - Supermicro provides an update, mentioning that BIOS R2.2 will take 3-4 weeks for validation before being posted.
2025-02-28 - I respond criticizing Supermicro’s slow response compared to other vendors and reiterate the need for changelogs.
2025-02-28 - Supermicro acknowledges the comment and assures it will be passed to the PM team.
2025-03-31 - Last BIOS update for my mainboard is dated 2024-05-28, so I inform Supermicro I will be writing an article.
Email correspondence
Below is a full exchange between me and Supermicro technical support regarding Intel CPU microcode updates. The emails highlight how Supermicro fails to provide timely updates and does not communicate changelogs publicly, requiring unnecessary steps for customers to obtain critical security information.
From: Igor Levicki <censored>
Sent: Sunday, January 26, 2025 3:04 AM
To: Technical Support <support@supermicro.com>
Subject: Microcode update
Hello,
New microcode revision for Sapphire Rapids has been available (2B000603, current is 2B0005C0) which according to Intel fixes functional and security issues:
As you can see from the date, it's been available for quite a while. With that in mind I have two questions:
1. Does Supermicro always wait for customers to ask for updates related to security and functionality?
2. Is Supermicro committed to providing product support of this kind or not?
The way I see it Supermicro should be notifying me about this, not the other way around.
Please advise.
Regards,
Igor Levicki
From: Technical Support <support@supermicro.com>
To: Igor Levicki <censored>
Subject: RE: Microcode update
Date: Tue, 28 Jan 2025 19:32:03 +0000
Hi Igor,
Can you please provide the serial number of the system or the SKU for review?
Thanks
From: Igor Levicki <censored>
Sent: Tuesday, January 28, 2025 1:45 PM
To: Technical Support <support@supermicro.com>
Subject: Re: Microcode update
Hi
X13SRA-TF
S/N: <censored>
Regards,
Igor
From: Technical Support <support@supermicro.com>
To: Igor Levicki <censored>
Subject: RE: Microcode update
Date: Tue, 28 Jan 2025 22:04:34 +0000
Dear Igor,
No, we don’t wait for the customer to ask for updated related to security and functionality. Our engineer and PM team will determine the BIOS update schedule. Thanks a lot!
Have a great day!
From: Igor Levicki <censored>
Sent: Saturday, February 22, 2025 3:43 AM
To: Technical Support <support@supermicro.com>
Subject: Re: Microcode update
Hello,
You may claim you don't wait, but here I am asking Supermicro for an updated BIOS again — while your engineering and PM team is "determining BIOS update schedule" Intel has released another batch of microcode updates fixing both security and functional issues:
Intel advisories:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01213.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01194.html
I find this level of lack of care about security and functionality of your products totally unacceptable.
Supermicro should get out of 1990s where BIOS updates were risky and start publishing timely BIOS updates along with publicly accessible release notes.
Regards,
Igor Levicki
From: Technical Support <support@supermicro.com>
To: Igor Levicki <censored>
Subject: RE: Microcode update
Date: Mon, 24 Feb 2025 18:10:18 +0000
Dear Igor,
Thank you for contacting Super Micro Technical Support!
We’ll check this information internally and get back to you ASAP.
Have a great day!
From: Technical Support <support@supermicro.com>
To: Igor Levicki <censored>
Subject: RE: Microcode update
Date: Thu, 27 Feb 2025 17:19:47 +0000
Dear Igor,
Good morning!
Based on our internal update, R 2.2 BIOS will be submitted to our LAB to validate for X13SRA-TF. It’ll take about 3-4 weeks. Once the validated is completed, we’ll post on our website immediately. About the security update information, feel free to check our Super Micro security page as a reference. https://www.supermicro.com/en/support/security_center#!advisories Thanks a lot!
Have a great day!
From: Igor Levicki <censored>
Sent: Friday, February 28, 2025 3:47 AM
To: Technical Support <support@supermicro.com>
Subject: Re: Microcode update [KY]
Hello,
Microcode was probably available to OEMs for integration and testing from Intel well before those advisories were published. Other vendors, such as HP are taking proactive stance on security and publish firmware updates with CHANGELOG in lockstep with advisories, not a month after and most certainly don't wait for customers to prod them into action.
As for your security page it is nice, but you know very well that's not what I mean — for the sake of transparency BIOS and BMC update pages should have a CHANGELOG. We the customers need to see what changes have been made so we can make an informed decision when updating and be aware of potential issues.
Regards,
Igor Levicki
From: Technical Support <support@supermicro.com>
To: Igor Levicki <censored>
Subject: RE: Microcode update [KY]
Date: Fri, 28 Feb 2025 16:43:33 +0000
Dear Igor,
Thanks for your comment! We’ll forward your comment to our PM team.
On the other hand, BIOS and BMC release note can be requested through our Super Micro Sales team who takes care of your account.
Thanks again!
Have a great day!
From: Igor Levicki <censored>
Sent: Friday, February 28, 2025 9:33 AM
To: Technical Support <support@supermicro.com>
Subject: Re: Microcode update [KY]
Hello,
I am aware that they can be requested, but:
1. I'd have to contact a company, company contacts your sales team, they send info back to company, the company sends it back to me — how is 4 extra steps (and that's assuming that everyone involved gets it right the first time) better than just having a changelog and release notes like every other vendor in the industry?
2. That doesn't help people who buy your products directly in retail or on your own eStore
You can pass that to the PM team too and have a nice day yourself.
Regards,
Igor Levicki
From: Technical Support <support@supermicro.com>
To: Igor Levicki <censored>
Subject: RE: Microcode update [KY]
Date: Fri, 28 Feb 2025 17:36:07 +0000
Dear Igor,
Thanks for your comment!
We’ll pass your comment about the BIOS/BMC release note to our PM team. Thanks again!
Have a great day!
From: Igor Levicki <censored>
Sent: Monday, March 31, 2025 1:04 PM
To: Technical Support <support@supermicro.com>
Subject: Re: Microcode update [KY]
Hello,
It's now been 22 business days since you said 3-4 weeks for a BIOS update.
This email is to let your management know that I will be writing an independent article about Supermicro's atrocious lack of timely security updates as well as lack of transparency on the update contents. It will include this correspondence with all the relevant dates and other information as an example of your company's failure to follow best practices.
Have a nice day.
Regards,
Igor Levicki
Comparison with Other Vendors
Unlike Supermicro, vendors such as HP, Dell, and Lenovo proactively release BIOS updates alongside security advisories. They provide clear changelogs and ensure customers have access to security patches without delays. This approach reflects their commitment to security and reliability, something that Supermicro lacks.
Why This Matters
Failing to provide timely BIOS and microcode updates puts users at risk. Security vulnerabilities, especially CPU side-channel attacks, can be exploited if patches are delayed, leading to potential data breaches. In a competitive industry where security and transparency are paramount, Supermicro’s outdated approach makes them a poor choice for businesses and professionals who rely on timely security updates.
Conclusion
Supermicro’s failure to handle BIOS updates efficiently, coupled with their lack of transparency, makes their products a risky investment in 2025. Until they improve their update policies and customer communication, potential buyers should consider alternative vendors who prioritize security and reliability of their products.