Your Managed Appliance Has Unpatched Firmware - And the Vendor Says It's Your Problem

The Problem

That device with a Datto, Barracuda, or Nutanix label on the outside is almost certainly running on a SuperMicro, American Megatrends, or similar commodity server board inside. The branded vendor patches their software and their cloud infrastructure. The underlying computer hardware - specifically the firmware, BIOS, and IPMI (Intelligent Platform Management Interface) - is left to you.

We Asked the Vendors Directly

Datto told ThreeShield that it is the MSP's responsibility to change default IPMI and BIOS passwords. Nutanix said they are a software company and aren't responsible for the hardware - even though they brand it and sell it as an all-in-one hyperconverged solution. When we asked if they inform their clients of this responsibility, both said no.

This means your MSP likely doesn't know they're responsible for firmware patching. And if your MSP doesn't know, neither do you.

How Easy Is It to Attack?

A basic network scan will likely reveal an IPMI interface on your appliance. The default credentials are probably admin / admin, running on unencrypted port 80. Since neither you nor your MSP has ever logged into it, the firmware likely dates back five or more years - containing well-documented vulnerabilities that require no sophisticated attacker to exploit.

What can an attacker with IPMI access do? Turn off the device. Access the underlying system at console level. Install ransomware or cryptomining software. Exfiltrate data. For backup appliances - typically treated as "set and forget" - a compromised or disabled backup device might not be discovered for months. And when ransomware hits and you need that backup, it won't be there.

What to Do Right Now

1. Change IPMI and BIOS passwords today. Coordinate with your MSP. Low risk, high payoff.
2. Disconnect IPMI ports if you don't actively use them. Label the cable and port so you can find them during emergencies. Only plug in when needed.
3. Add firmware to your monthly patch cycle. Your standard patch management tool won't catch firmware. Plan for downtime windows.
4. Test your backups with actual restore simulations. A backup job completing successfully is not the same as having a working backup. Run quarterly simulated failovers and verify application functionality, not just file existence.

Lavawall® monitors device and endpoint patch states continuously. ThreeShield's infrastructure assessments explicitly check IPMI exposure, firmware update status, and management interface access controls as part of standard review scope.