Critical AMI MegaRAC BMC Flaw Allows Remote Server Control

The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of CVE-2024-54085—a maximum-severity (10/10) authentication bypass in AMI MegaRAC baseboard management controllers (BMCs). These microcontrollers, embedded on server motherboards, enable out-of-band management even when the OS is offline. A successful compromise of a single BMC can give attackers root-level control over entire server fleets, posing a severe risk to data centers worldwide.
How the Vulnerability Works
CVE-2024-54085 allows remote creation of administrative accounts via an unauthenticated HTTP request. Disclosed by Eclypsium in March 2025, proof-of-concept code demonstrated how to bypass login checks and inject credentials without any valid token or password. Until this week, no in-the-wild exploitation had been reported.
- Attacker sends a specially crafted HTTP POST to the BMC’s Redfish endpoint.
- BMC firmware fails to verify session cookies or X-Auth-Token headers.
- New local admin account is silently created with full privileges.
Active Exploitation and Threat Landscape
On June 26, 2025, CISA added CVE-2024-54085 to its Known Exploited Vulnerabilities (KEV) catalog. While details remain sparse, Eclypsium and other researchers warn espionage-oriented APT groups—particularly those linked to nation-state operations—are the prime suspects. These actors often target firmware to maintain persistence and evade detection.
“With BMC-level access, adversaries operate below the OS, bypassing antivirus and SIEM solutions,” says Dr. Elena Morris, a firmware security lead at Forrester Research.
Technical Specifications and Attack Vectors
- Firmware Versions Affected: MegaRAC SP-X versions prior to 5.4.7.2 and MegaRAC BMC versions before 3.1.0.0.
- Interfaces: Redfish (RESTful), IPMI (legacy), web UI (HTTP/HTTPS).
- Supported Chipsets: AMD EPYC, Ampere Altra, Qualcomm Centriq, Arm Neoverse.
- Server Vendors: AMD, Ampere Computing, ASRock Rack, Arm, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, Qualcomm.
Firmware-Level Attack Vectors
Once authenticated bypass occurs, attackers can:
- Install malicious firmware modules that survive OS reinstall and disk replacement.
- Intercept system memory traffic via Direct Memory Access (DMA).
- Manipulate power controls to cause involuntary reboots or hardware damage.
Impact on Data Center Operations
Data center managers rely on BMCs for BIOS updates, OS deployment, and remote power cycling. A compromised BMC can:
- Evade endpoint detection by operating beneath the OS.
- Exfiltrate credentials and encryption keys stored in NVRAM.
- Launch lateral movements across internal VLANs.
- Render servers unbootable by corrupting system firmware.
Detection and Monitoring
Traditional IDS/IPS solutions often do not monitor BMC traffic. Recommended strategies include:
- Deploy network segmentation: isolate BMC management interfaces on a dedicated VLAN or VPN.
- Implement anomaly detection: baseline Redfish API calls and alert on unauthorized account creation.
- Enable secure protocols: disable HTTP and force HTTPS with mutual TLS.
Mitigation Strategies and Best Practices
Administrators should:
- Immediately audit all MegaRAC BMC firmware versions and upgrade to vendor-published patches.
- Rotate default BMC credentials and enforce strong, unique passwords.
- Enable multifactor authentication (MFA) on management portals where supported.
- Review firewall rules to restrict BMC access to authorized IP addresses only.
Patch Deployment Challenges
Organizations often delay BMC updates due to planned maintenance windows or concerns over service interruptions. Key considerations:
- Test firmware updates in staging environments before rolling out to production.
- Coordinate with hardware vendors to confirm patch compatibility.
- Use automated orchestration tools (Ansible, Redfish scripts) to scale patch deployment.
Future Outlook and Vendor Responses
Since the CISA alert, several vendors have released patches—Supermicro SP-X 5.4.7.2, Fujitsu iRMC S6 2.24, and Gigabyte MegaRAC BMC 3.1.0.0. Nvidia and Huawei are expected to publish updates by Q3 2025. Gartner analysts predict increased regulatory scrutiny on BMC firmware security and potential standards updates from the Trusted Computing Group (TCG).
“This incident underscores the need for supply-chain transparency and firmware signing verification,” notes Marcus Lee, senior analyst at Gartner.
Conclusion
CVE-2024-54085 represents one of the most dangerous firmware vulnerabilities in recent memory. Its active exploitation highlights the criticality of rigorous BMC management—patching, segmentation, and real-time monitoring—to safeguard server infrastructures from stealthy, persistent threats.