A critical vulnerability in American Megatrends International’s (AMI) MegaRAC Baseboard Management Controller (BMC) software allows attackers to remotely hijack and potentially brick vulnerable servers. This impacts numerous server vendors, posing a significant threat to enterprise businesses.
The MegaRAC BMC offers “lights-out” and “out-of-band” remote server management. This firmware is used by over a dozen server vendors supplying equipment to major cloud service and data center providers, including HPE, Asus, ASRock, and others.
The vulnerability, tracked as CVE-2024-54085, is a maximum severity authentication bypass flaw. Attackers can exploit it remotely without user interaction through the Redfish remote management interfaces or the internal BMC interface.
“A local or remote attacker can exploit the vulnerability by accessing the remote management interfaces (Redfish) or the internal host to the BMC interface (Redfish),” Eclypsium explained in a recent report.
The consequences of exploitint the AMI MegaRAC Bug are severe: remote server control, malware deployment, ransomware attacks, firmware tampering, bricking of motherboard components (BMC or potentially BIOS/UEFI), potential server physical damage (over-voltage/bricking), and unstoppable reboot loops.
Eclypsium researchers discovered CVE-2024-54085 while analyzing patches for CVE-2023-34329, another authentication bypass vulnerability disclosed in July 2023. HPE Cray XD670, Asus RS720A-E11-RS24U, and ASRockRack systems are confirmed vulnerable. However, many more devices and vendors are likely affected. Shodan searches revealed over 1,000 potentially exposed servers online.
Exposed AMI MegaRAC instances (Eclypsium)
Eclypsium’s research into MegaRAC vulnerabilities (BMC&C) previously uncovered five more flaws (CVE-2022-40259, CVE-2022-40242, CVE-2022-2827, CVE-2022-26872, and CVE-2022-40258) in December 2022 and January 2023.
These could also lead to server hijacking, bricking, or remote malware infection. A code injection vulnerability (CVE-2023-34330) found in July 2023 allows malicious code injection via Redfish interfaces and can be chained with other discovered bugs. CVE-2022-40258, involving weak Redfish & API password hashes, simplifies attacks.
While no in-the-wild exploits for CVE-2024-54085 are known, creating one is considered “not challenging” due to unencrypted firmware binaries.
AMI, Lenovo, and HPE released patches on March 11, 2025. Enterprise IT teams should immediately apply these patches, avoid exposing AMI MegaRAC instances online, and monitor server logs for suspicious activity.
“To our knowledge, the vulnerability only affects AMI’s BMC software stack. However, since AMI is at the top of the BIOS supply chain, the downstream impact affects over a dozen manufacturers,” Eclypsium noted.
Patching, however, is a complex process requiring device downtime.
Helpful Reads:
