Serious Security Flaw Discovered in AMI’s MegaRAC BMC Software
A significant security vulnerability has been identified within AMI’s MegaRAC Baseboard Management Controller (BMC) software, which allows malicious actors to bypass authentication processes and execute unauthorized actions on affected systems. This vulnerability is classified as CVE-2024-54085, and it has been assigned a CVSS v4 score of 10.0, marking it as critically severe.
The report issued by firmware security firm Eclypsium indicates that both local and remote attackers can exploit this weakness through remote management interfaces, such as Redfish, or via direct access to the internal host connected to the BMC. The ramifications of this vulnerability are substantial, enabling attackers to gain remote control over compromised servers, deploy malware or ransomware, manipulate firmware, and create irreparable damage to motherboard components. Furthermore, it can lead to physical damage through tactics like over-voltage, initiating endless reboot loops that could render systems inoperable until fully re-provisioned.
This flaw presents an alarming risk, as it has the potential to be weaponized to launch disruptive attacks. By sending malicious commands, attackers might force vulnerable devices into continuous reboot cycles, leading to extended periods of unavailability. The threat landscape surrounding AMI MegaRAC BMCs has been problematic since December 2022, with CVE-2024-54085 featuring in an extensive list of identified security weaknesses.
Among the known vulnerabilities that have surfaced are several others cataloged since late 2022, including flaws that permit arbitrary code execution via the Redfish API, default credentials allowing SSH shell access, and password reset interception. The cumulative nature of these vulnerabilities highlights a growing concern for users of AMI MegaRAC BMC software.
The devices confirmed to be affected by CVE-2024-54085 include significant models such as HPE Cray XD670 and Asus RS720A-E11-RS24U. While no signs of real-world exploitation have emerged yet, AMI has issued patches as of March 11, 2025, to remediate the identified flaws. It is crucial for manufacturers and downstream users to implement these updates promptly as they become available.
Companies like HPE and Lenovo have already rolled out security updates for their products that address this vulnerability, integrating AMI’s fixes into their systems. However, it’s important to note that applying these patches will require downtime for affected devices, a factor that any business owner must consider in their risk management protocols.
With AMI sitting at the forefront of the BIOS supply chain, the implications of this vulnerability extend across numerous manufacturers and their technology ecosystems. The successful exploitation of CVE-2024-54085 correlates with tactics outlined in the MITRE ATT&CK framework that include initial access and potential privilege escalation through the exploitation of vulnerabilities.
As this situation evolves, business owners must remain vigilant. They should ensure their systems are updated and maintain awareness of the ongoing discussions in the cybersecurity community regarding vulnerabilities such as CVE-2024-54085, safeguarding their operations against potential breaches. The focus on systematic updates and patch management is a critical component in effectively mitigating the risks associated with these vulnerabilities.
