A critical security vulnerability has been disclosed in AMI’s MegaRAC Baseboard Management Controller (BMC) software that could allow an attacker to bypass authentication and carry out post-exploitation actions.
The vulnerability, tracked as CVE-2024-54085, carries a CVSS v4 score of 10.0, indicating maximum severity.
“A local or remote attacker can exploit the vulnerability by accessing the remote management interfaces (Redfish) or the internal host to the BMC interface (Redfish),” firmware security company Eclypsium said in a report shared with The Hacker News.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“Exploitation of this vulnerability allows an attacker to remotely control the compromised server, remotely deploy malware, ransomware, firmware tampering, bricking motherboard components (BMC or potentially BIOS/UEFI), potential server physical damage (over-voltage / bricking), and indefinite reboot loops that a victim cannot stop.”
The vulnerability can further be weaponized to stage disruptive attacks, causing susceptible devices to continually reboot by sending malicious commands. This could then pave the way for indefinite downtime until the devices are re-provisioned.
CVE-2024-54085 is the latest in a long list of security shortcomings that have been uncovered in AMI MegaRAC BMCs since December 2022. They have been collectively tracked as BMC&C –
- CVE-2022-40259 – Arbitrary Code Execution via Redfish API
- CVE-2022-40242 – Default credentials for UID = 0 shell via SSH
- CVE-2022-2827 – User enumeration via API
- CVE-2022-26872 – Password reset interception via API
- CVE-2022-40258 – Weak password hashes for Redfish & API
- CVE-2023-34329 – Authentication Bypass via HTTP Header Spoofing
- CVE-2023-34330 – Code injection via Dynamic Redfish Extension interface
Eclypsium noted that CVE-2024-54085 is similar to CVE-2023-34329 in that it allows for an authentication bypass with a similar impact. The vulnerability has been confirmed to affect the below devices –
- HPE Cray XD670
- Asus RS720A-E11-RS24U
- ASRockRack
AMI has released patches to address the flaw as of March 11, 2025. While there is no evidence that the issue has been exploited in the wild, it’s essential that downstream users update their systems once OEM vendors incorporate these fixes and release them to their customers.
“Note that patching these vulnerabilities is a non-trivial exercise, requiring device downtime,” Eclypsium said. “The vulnerability only affects AMI’s BMC software stack. However, since AMI is at the top of the BIOS supply chain, the downstream impact affects over a dozen manufacturers.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
New Ad Fraud Campaign Exploits 331 Apps with 60M+ Downloads for Phishing and Intrusive Ads