AMI BMC Flaw: Remote Takeover and DoS of Server Infrastructure
A new critical vulnerability of the highest possible severity score – CVE-2024-54085, CVSS 10 – has just been disclosed. It is found in the widely used American Megatrends’ (AMI) MegaRAC BMC (Baseboard Management Controller) software allowing authentication bypass and exploitation. Due to AMI’s dominant role in the motherboard supply chain, dozens of major hardware vendors are likely impacted. The vulnerability has a full technical explanation and proof-of-concept (PoC) further increasing the risk.
The PoC can effectively create a service account for the Redfish management console, and thus allows unauthenticated access to all remote BMC features. The exploit was verified against HPE Cray XD670, Asus RS720A-E11-RS24U, and ASRockRack. Other analysts have noted that although this CVE was released in 2025 its ID (CVE-2024-54085) was likely reserved in 2024.
CVE-2024-54085 allows an attacker to:
- Exploit and remotely control a server
- Install malware on the server including ransomware
- Modify firmware for tampering
- Potentially brick motherboard components (BMC or potentially BIOS/UEFI)
- Cause physical damage via over-voltage
- Induce indefinite reboot loops causing DoS conditions
Greenbone is able to detect affected servers with a remote vulnerability test that actively probes for a vulnerable BMC.
Potential Scope of the Impact
The particular interface for the MegaRAC BMC (Baseboard Management Controller), called Redfish, is just one of several BMCs that support remote server management. The Redfish standard has seen significant adoption in the enterprise server market as a modern replacement for legacy management interfaces like IPMI. This scope of the impact will include all products including OT, IoT or IT devices using AMI’s MegaRAC. When similar flaws were previously discovered in MegaRAC, the scope included products from Asus, Dell, Gigabyte, Hewlett Packard Enterprise, Lanner, Lenovo, NVIDIA and Tyan. AMI released patches on March 11, 2025, with HPE and Lenovo already issuing updates for affected.
A Technical Description of CVE-2024-54085
CVE-2024-54085 is a flaw in AMI’s SPx (Service Processor) firmware stack. More specifically SPx is part of AMI’s MegaRAC BMC solution. BMCs are microcontrollers embedded on a server’s motherboard that enable remote management and monitoring of the server, even when the system is powered off or unresponsive.
CVE-2024-54085 is classified as a “Authentication Bypass by Spoofing” [CWE-290] flaw. Using a client’s IP address for authentication is a typical scenario when CWE-290 occurs, since the source IP address can often be spoofed by the sender. Although AMI’s advisory is thin on details, Eclypsium researchers, attributed with the discovery, have provided a detailed article explaining the root cause. CVE-2024-54085 in fact does stem from using an IP address as a means for authentication. Redfish’s Lua-based access control logic uses HTTP headers, either the X-Server-Addr header or Host specification to determine whether an HTTP request is internal or external; automatically trusting internal requests as authenticated.
In BMC systems like MegaRAC, the “host interface” refers to a logical and physical connection between the BMC and the main server system (the host). For simplicity, this could be compared to the loopback interface (often named lo) with the IP address 127.0.0.1 and hostname localhost. In this case, the interface that communicates between the BMC chip and the host is assigned an address from the link-local IP range (169.254.0.0 to 169.254.255.255). Furthermore, this IP address is included in a list of trusted addresses during MegaRAC’s HTTP authentication process and successfully spoofing it results in authentication bypass. By reverse engineering the MegaRAC firmware, researchers discovered the link-local address 169.254.0.17 being used across several BMC chips.
The flaw also depends on the implementation of a regular expression that extracts all text from the X-Server-Addr header before the first colon character, and verifies if this text matches the trusted IPs stored in a Redis database. The BMC chips use Lighttpd as an embedded web server which was found to automatically add its own X-Server-Addr value. If a request already includes this header supplied by the client, Lighttpd appends its value after the user supplied one, allowing the attacker to provide a specially crafted header and control the value extracted by the regex. By supplying an X-Server-Addr value that matches the Host system’s link-local address, followed by a colon, (such as 169.254.0.17:) an attacker can trick the BMC into treating the request as though it comes from the internal host interface, bypassing authentication entirely.
Once authentication is bypassed, the rest of the HTTP request is processed, allowing the attacker to execute arbitrary API actions such as creating privileged accounts to gain full remote control over the server’s BMC and access its admin web-interface.
Steps for Mitigating CVE-2024-54085
Organizations must track their hardware vendor’s advisories closely and download the correct firmware updates when they become available. As a temporary safeguard, organizations can inspect their device manuals to determine if Redfish can be disabled if it’s not in use. Since BMCs can remain active even when the main server is powered down, affected systems must be treated as persistently exposed until the firmware is patched, unless Redfish is disabled, or the system is also air-gapped (disconnected from the network). Security teams may also develop new firewall rules or IPS rules to block attempts to exploit this flaw and protect vulnerable BMC management interfaces.
Because the flaw lies in an embedded proprietary firmware, patching is more complex than simply applying a routine operating system or application update. Unlike conventional software, BMC firmware resides on the motherboard’s dedicated chip. Therefore, BMC updates typically require a specialized software utility provided by the device vendor to “flash” the updated firmware. This process also results in downtime since administrators may need to boot into a special environment and reboot the system after the firmware update has been completed.
Summary
CVE-2024-54085 poses an extreme risk to enterprise infrastructure, allowing unauthenticated remote control of servers from major vendors like HPE and Lenovo. Given AMI’s dominant presence in data centers, exploitation could lead to mass outages, bricked hardware, or persistent downtime – making urgent detection and firmware patching essential for all affected systems.
Greenbone is able to detect affected servers with a remote vulnerability test that actively probes for an exploitable BMC interface.
Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.
He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.
Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.
