A newly discovered critical security vulnerability in American Megatrends International’s (AMI) MegaRAC BMC firmware is putting thousands of servers at risk of remote hijacking or permanent damage.
What is MegaRAC BMC and Why This Matters
The MegaRAC BMC firmware powers remote management systems for servers, providing “lights-out” access that allows IT admins to troubleshoot and control servers from anywhere — even if the machine is turned off. This widely-used firmware is embedded in servers from top vendors like HPE, Asus, ASRock, and others, making it a core component of data center and cloud infrastructure worldwide.
However, a new high-severity vulnerability (CVE-2024-54085) could turn this powerful feature into a dangerous backdoor. According to cybersecurity firm Eclypsium, attackers could remotely gain full control over vulnerable servers — and it doesn’t even require user interaction.
CVE-2024-54085: A Dangerous Authentication Bypass Flaw
The security flaw, labeled CVE-2024-54085, allows remote unauthenticated attackers to bypass authentication on affected MegaRAC BMC interfaces. Attackers could exploit it through external remote management interfaces like Redfish or internally via the host system connecting to the BMC.
Once inside, the attacker could:
- Take complete remote control of the server
- Deploy malware or ransomware
- Tamper with firmware
- Brick the motherboard components (BMC or BIOS/UEFI)
- Trigger damaging over-voltage events
- Cause endless reboot loops, making servers unusable
“Exploitation of this vulnerability could result in permanent server damage or complete system hijack,” Eclypsium warned in its report.
Which Servers Are Affected?
The vulnerability impacts several server models confirmed by Eclypsium, including:
- HPE Cray XD670
- Asus RS720A-E11-RS24U
- ASRockRack platforms
However, given AMI’s vast market reach, many more devices and manufacturers are likely exposed. Eclypsium researchers also identified over 1,000 potentially vulnerable servers exposed online using the Shodan search engine.
This Isn’t AMI’s First BMC Security Scare
CVE-2024-54085 is just the latest in a series of vulnerabilities found in AMI’s MegaRAC BMC software. Over the past two years, researchers uncovered several critical flaws under the BMC&C project:
- CVE-2022-40259, CVE-2022-40242, CVE-2022-2827, CVE-2022-26872, and CVE-2022-40258 — allowing remote hijacking and malware deployment
- CVE-2023-34330 — a code injection flaw exploitable via Redfish, enabling further system compromise
- CVE-2022-40258 — weak password hashes for Redfish and API, simplifying admin password cracking
This latest flaw was discovered during an investigation into a previous vulnerability (CVE-2023-34329) reported by Eclypsium in July 2023.
How Serious is This Vulnerability?
While no active exploitation has been detected yet, Eclypsium warns that crafting an exploit is not difficult — especially because AMI’s firmware binaries remain unencrypted.
Given the potential to brick servers or cause hardware damage, the flaw is rated maximum severity and poses a huge risk to data centers and cloud providers.
What Should Data Centers and Server Admins Do?
Patches are available and must be applied immediately. AMI, Lenovo, and HPE released security updates on March 11.
Recommended Actions:
- Apply firmware patches from your vendor
- Avoid exposing MegaRAC interfaces to the internet
- Monitor server logs for suspicious activity or unauthorized access attempts
- Schedule downtime for patching — the process is complex and cannot be done live
The Supply Chain Impact
Eclypsium emphasizes that only AMI’s BMC stack is affected by this flaw. However, because AMI is a critical supply chain player, the vulnerability impacts over a dozen server manufacturers downstream.
“Patching will require coordination with your hardware vendors, and it’s a non-trivial exercise needing device downtime,” Eclypsium warned.
