CVE-2024-54085 is a critical vulnerability in AMI’s MegaRAC Baseboard Management Controller (BMC) software. The flaw allows attackers to bypass authentication, granting them remote access to control affected servers. This could lead to significant damage, including malware deployment, firmware tampering, and physical harm to components like the motherboard. Devices from prominent manufacturers like HPE, Asus, and Lenovo are confirmed to be impacted by the vulnerability.
The vulnerability carries a maximum CVSS score of 10.0, indicating the highest level of severity. It could be exploited by both local and remote attackers via the Redfish management interface. Successful exploitation enables attackers to remotely control the machine, execute malicious actions, and trigger disruptive behaviors, including continuous reboot cycles. These attacks could cause extensive downtime, and in extreme cases, the affected devices could become permanently unusable until re-provisioned.
Security firm Eclypsium, which reported the vulnerability, found that over 1,000 internet-exposed MegaRAC instances are vulnerable. Although there have been no confirmed instances of active exploitation, the flaw is still a significant risk for many organizations. AMI has released patches addressing the vulnerability, but it’s up to device manufacturers like HPE and Lenovo to distribute these fixes to their customers.
While patching this issue is necessary to prevent exploitation, it is a non-trivial task. The process involves device downtime, which can be disruptive for users. The CVE-2024-54085 vulnerability is just the latest in a series of security issues uncovered in AMI MegaRAC BMCs since 2022. Organizations are urged to update their systems as soon as patches are made available to mitigate the risks associated with this vulnerability.
