AMI MegaRAC authentication bypass flaw is being exploitated, CISA warns – Source: www.networkworld.com

A critical authentication bypass by spoofing vulnerability in AMI MegaRAC SPx server management firmware is now being actively exploited by attackers, creating urgent pressure for enterprises still waiting for complete vendor patches across their infrastructure.

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-54085 to its Known Exploited Vulnerabilities catalog on June 25, signaling a dangerous escalation from theoretical risk to confirmed attacks. The vulnerability affects AMI MegaRAC SPx firmware, the behind-the-scenes software that lets IT teams remotely control servers even when they’re powered off.

The development puts enterprise IT teams in a challenging position: while AMI released patches on March 11, server manufacturers have been slow to integrate and distribute fixes, leaving many organizations vulnerable to a maximum-severity flaw that grants attackers complete control over affected systems.

What makes Megarac vulnerability dangerous

The CVE-2024-54085 carries a perfect severity score of 10.0 out of 10, reflecting its potential for devastating impact. The flaw is an authentication bypass by spoofing vulnerability affecting AMI MegaRAC SPx firmware, allowing attackers to trick the Redfish management interface into believing they are authorized users.

“Exploitation of this vulnerability allows an attacker to remotely control the compromised server, remotely deploy malware, ransomware, firmware tampering, bricking motherboard components,” an Eclypsium research report said in March. The report added that attacks could cause “indefinite reboot loops that a victim cannot stop.”

The vulnerability targets baseboard management controllers (BMCs), specialized computer chips embedded on server motherboards that provide remote management capabilities. Think of BMCs as a separate mini-computer inside your server that stays running even when the main server is shut down, allowing IT teams to troubleshoot problems, install updates, and restart systems remotely.

The spoofing attack works by manipulating HTTP request headers sent to the Redfish interface. Attackers can add specific values to headers like “X-Server-Addr” to make their external requests appear as if they’re coming from inside the server itself. Since the system automatically trusts internal requests as authenticated, this spoofing technique grants attackers administrator privileges without needing valid credentials.

Slow vendor response creates risk window

The vulnerability exemplifies complex enterprise security challenges posed by firmware supply chains. AMI sits at the top of the server supply chain, but each vendor must integrate patches into their own products before customers can deploy them.

Lenovo took until April 17 to release its patch, while Asus patches for four motherboard models only appeared in recent weeks. Hewlett Packard Enterprise was among the faster responders, releasing updates in March for its Cray XD670 systems used in AI and high-performance computing workloads.

The patching delays are particularly concerning given the vulnerability’s scope. Manufacturers known to use AMI’s MegaRAC SPx BMC include AMD, Ampere Computing, ASRock, ARM, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm, representing a significant portion of enterprise server infrastructure. NetApp also confirmed in its security advisory NTAP-20250328-0003 that multiple NetApp products incorporating MegaRAC BMC firmware are also affected, expanding the impact to storage infrastructure.

Dell had earlier confirmed its systems are unaffected since it uses its own iDRAC management technology instead of AMI’s MegaRAC.

Enterprise operations at risk

This widespread vendor impact translates into serious operational risks for enterprises. BMCs operate at a privileged level below the main operating system, making attacks particularly dangerous.

“Due to the privileged position that BMC have over the host operating system, attackers could exploit such flaws to deploy highly persistent rootkits and malware implants for long-term cyberespionage,” security researchers have explained. These malicious programs could “reinfect the OS even after it’s been completely wiped and restored.”

According to the Eclypsium report, in destructive attack scenarios, “attackers can leverage the often heterogeneous environments in data centers to potentially send malicious commands to every other BMC on the same management segment, forcing all devices to continually reboot.” The report warned that “in extreme scenarios, the net impact could be indefinite, unrecoverable downtime until and unless devices are re-provisioned.”

This capability makes the vulnerability attractive for both ransomware operators and nation-state actors seeking to disrupt critical infrastructure.

Pattern of persistent problems

CVE-2024-54085 is part of an ongoing series of security issues that Eclypsium researchers have discovered in AMI’s MegaRAC platform. The researchers noted they found this latest flaw while examining AMI’s fix for a previous authentication bypass vulnerability reported in 2023.

The pattern of recurring vulnerabilities in the same firmware platform raises questions about the security development lifecycle for critical infrastructure components. For enterprise security teams, this trend suggests that AMI MegaRAC SPx-based systems may require more frequent security assessments and closer monitoring than other server management platforms.

Security researchers using the Shodan search engine found over 1,000 internet-exposed MegaRAC instances that could be potentially vulnerable. However, the vulnerability can also be exploited through local networks, making internal network segmentation essential.

With active exploitation confirmed, enterprise security teams face urgent decisions about risk mitigation. Firmware patching complexity means updates typically require specialized software utilities and system downtime, unlike conventional software patches.

The CISA advisory requires federal agencies to remediate the vulnerability within prescribed timeframes, under Binding Operational Directive 22-01. While private sector organizations aren’t legally bound by these requirements, the KEV catalog designation serves as a clear signal that this vulnerability poses immediate, real-world threats that demand urgent attention.