On June 25, 2025, CISA added CVE‑2024‑54085, a critical authentication bypass vulnerability in the MegaRAC SPx Baseboard Management Controller (BMC) firmware, to its Known Exploited Vulnerabilities (KEV) catalog.
The vulnerability allows attackers to spoof trusted internal IPs (e.g., 169.254.x.x), bypass authentication, and gain full out-of-band control of target servers.
Key details:
- Date: June 26, 2025
- Severity: Critical (CVSS v4: 10.0)
- Affected Component: AMI MegaRAC SPx BMC via Redfish Host Interface
Technical Impact
CVE‑2024‑54085 is assigned a CVSS v4.0 score of 10.0 (Critical). Successful exploitation enables attackers to:
- Remotely reboot or shut down servers
- Modify or overwrite firmware
- Install persistent rootkits or backdoors
- Bypass operating system and endpoint-level security controls
Because BMCs operate independently of the host OS, attackers can maintain stealthy, long-term access, even in hardened environments. This vulnerability effectively hands over hardware-level access to the attacker.
Affected Products
The vulnerability impacts a wide range of server platforms that integrate AMI MegaRAC SPx firmware, including:
- ASUS, Lenovo, ASRockRack, HPE, Supermicro
- Custom OEM and ODM systems using AMI’s Redfish stack
Firmware updates have been issued by AMI and select vendors since March 2025, but patch coverage across the ecosystem remains uneven.
Exploitation in the Wild
CISA’s inclusion of CVE‑2024‑54085 in the KEV catalog confirms that the vulnerability is being actively exploited. Public proof-of-concept (PoC) code is available, and exploitation attempts are likely to rise rapidly in unmanaged or internet-exposed environments.
Federal agencies must apply mitigations by July 16, 2025 under Binding Operational Directive (BOD) 22‑01. All organizations, public or private, should follow suit without delay.
Recommended Actions
- Apply Firmware Updates:
Download and apply the latest BMC firmware patches from your server vendor. Where updates are unavailable, escalate with your OEM. - Restrict Network Access:
Isolate BMC and Redfish interfaces from public and production networks. Access should be limited to secure management VLANs or jump boxes. - Harden Authentication & Interfaces:
Disable unauthenticated Redfish access. Enforce strong authentication, access controls, and monitoring on BMC interfaces. - Review Server Inventory:
Identify all hardware using AMI MegaRAC SPx firmware. Decommission or isolate systems that cannot be patched. - Monitor for Signs of Compromise:
Enable logging and alerts for unusual BMC activity, unexpected firmware changes, or Redfish interface requests.
If you’re unsure whether your infrastructure is exposed, or need assistance with patch validation, hardening, or threat hunting:
Contact us today and we’ll help you assess, secure, and defend your environment before attackers get in.
