On the one had, while I have no reason to disbelieve this specific blog post about Super Micro, I know for a fact that elements of their other posts about other companies are simply wrong, including a number of their claims about Roblox.
That's the risk with relying on short sellers' reports. Very frequently, the short seller is lying.
With SuperMicro, the auditor's withdrawal is worth 100x the short sellers' report. This is because it is very common for short sellers to make up claims about a company's financials, but it is very rare for an auditor to voluntarily withdraw.
They used to give out a calendar every year filled with pictures of their executives (mainly CEO) living a lavish lifestyle. Posing with Ferrari's, ribbon cutting ceremonies, stepping onto the company private jet, etc...
You could always tell when investors or potential customers were in town because the SMCI parking lot would suddenly have brightly colored sports cars parked right out front of the office, only to vanish shortly after until the next high profile meeting.
I always thought this was strange, but chalked it up to it being a cultural difference on how business is done in Asia vs the USA, but apparently not. GoPro used to do the same thing at their office in San Mateo back when the stock wasn't circling the drain, two Ferrari's parked right outside the front door as you walked into the building. Appearances can often be deceiving I guess.
I would call it more stupid than strange. It practically screams "Please eat our lunch with a more lean and efficient company!" when they think bragging about how much money they waste is a good thing.
Supermicro and Asus are just about the only ones who make the motherboards I need in my COTS on-prem/dc stuff. Why don't more manufacturers target the server x64 market? It's sorely needed. I've built entire systems with SM, but they've long had issues, there just aren't many alternatives in the space.
I think you're making the mistake of confusing a cover image for a claim. If you have any experience with magazine cover images, you shouldn't take them that literally, because they're not meant to be.
I always assumed they were talking about vulnerabilities slipped into BMC firmware or maybe into (counterfeit?) ASPEED BMC chips themselves. If there was one thing an attacker would want to pwn to pwn an entire server, it would be the BMC.
It's really weird to me how desperate so many people are to shut down any mention of this story instead of adopting a “if it were true, what would it look like?”-and-hope-to-be-wrong approach.
The issue I have with it is that they make specific claims about a single manufacturer and certain of their customers, with no evidence to back up what specifically they think was done, and in fact the details they do give don't really make much sense. The general claim, that these sorts of attacks are possible, and likely do happen, is not really in dispute, and you can of course imagine all kinds of details that would fit with the vague claims that they make (though, this also tends to require making up extra hoops or just assuming they invented some of the details that they did give, like you've just done by assuming it's a firmware attack, when they specifically mention an extra chip), but that's not really the point. If they run a story about an attack, it should have some credibility about that specific attack beyond that it's the kind of thing that could happen.
To use an analogy, it's much like running a story that Mrs Perkin's dog bit Mr Jones. It's not exactly something that in the abstract anyone would consider particularly unusual, but if they don't even tell you where such canine attack took place, or how they came to know about it, or indeed anything else, and Mrs Perkins and Mr Jones deny it happened, you might quite reasonably want more details before you believe that it did happen (or indeed, get any real value at all from the story, even if you believe it did, given that, again, the general concept that a dog might bite someone isn't particularly interesting or surprising).
I'm not surprised about this at all. In spite of having plenty of actually decent products and good demand, the company has a history of acting shady and caring more about perceived appearance than about doing the right thing.
For instance, they appear to care about security issues that publicly embarrass them or that affect huge customers of theirs, issues that'd've been trivial to fix, instead of fixing issues for the sake of fixing them. This kind of "sales" based security and their responses have forced me to encourage multiple companies to use other vendors.
https://www.fool.com/investing/2024/07/13/is-super-micro-com...
https://www.forbes.com/sites/investor-hub/article/is-super-m...
https://investorplace.com/2024/03/smci-stock-alert-does-this...