A critical security vulnerability was recently discovered in the AMI MegaRAC Baseboard Management Controller (BMC), which is widely used by numerous server manufacturers. This vulnerability allows attackers to bypass authentication on the Redfish management interface, posing a serious threat that could result in a complete server takeover. According to researchers at Eclypsium, attackers exploiting this flaw could remotely control affected servers, deploy malware or ransomware, tamper with firmware, and compromise both the BMC and BIOS/UEFI.
This article outlines the root cause and impact of CVE-2024-54085, and provides effective detection and mitigation strategies using Criminal IP.
CVE-2024-54085 Vulnerability: Overview and Security Impact
Vulnerability Overview
CVE-2024-54085 was discovered during the patch review of a previously identified authentication bypass vulnerability, CVE-2023-34329. Systems running MegaRAC SP-X versions prior to 2024-08-27 are affected, including confirmed vulnerabilities in server models such as the HPE Cray XD670 and Asus RS720A-E11-RS24U.
This vulnerability stems from improper validation of HTTP header values in the host-interface-support-module.lua script of the Redfish interface. An attacker may bypass authentication by altering the X-Server-Addr header or leveraging an internal IP address.
Security Threats
- Remote server control and compromise.
- Distribution of malware and ransomware.
- Firmware tampering and critical component damage (BMC, BIOS/UEFI).
- Potential disruption of entire data center operations (e.g., infinite reboot attack).
The Eclypsium research team has cautioned that over 1,000 MegaRAC SP-X Redfish instances worldwide are exposed to the internet, posing severe security risks, especially given their vulnerability to attacks through internal networks.
Detecting AMI MegaRAC BMC Vulnerabilities with Criminal IP
Criminal IP Asset Search is an effective tool for detecting internet-exposed MegaRAC BMC-related assets and assessing their associated security risks. The two search queries below allow for quick and efficient identification of vulnerable assets.
MegaRAC SP-X Honeypot Detection Query
Criminal IP Search Query: title: MegaRAC SP-X
This query identifies MegaRAC SP-X assets, including honeypots, decoy systems deployed for threat analysis. It is important to differentiate them from real infrastructure.
As of March 27, 2025, a total of 1,449 exposed MegaRAC SP-X assets were identified through Criminal IP.
With numerous open ports commonly seen in honeypots, this IP may not represent a real asset and could behave differently from legitimate systems.
Detection Query for MegaRAC SP-X Excluding Honeypots
Criminal IP Search Query: ssl_subject_organization: “American Megatrends Incorporated” title: MegaRAC SP-X
This query filters only assets with a certificate issued by “American Megatrends Incorporated.” It helps identify which assets in the organization’s network environment are exposed to the internet.
As of March 27, 2025, a total of 328 assets related to MegaRAC SP-X were identified through Criminal IP. Since these do not include honeypots, they represent actual systems that are vulnerable to potential attacks.
Criminal IP Asset Search enables real-time detection of vulnerable MegaRAC BMC assets while distinguishing them from honeypots. This proactive approach is essential for blocking exploited vulnerabilities and ensuring swift response to threats.
FAQ
Q1. What is MegaRAC BMC?
The Baseboard Management Controller (BMC) is a microcontroller that enables remote server management, even when the main operating system is down. It supports tasks such as system maintenance and diagnostics through interfaces like Intelligent Platform Management Interface (IPMI) or Redfish, allowing administrators to reinstall the OS, reboot the server, or update the firmware.
Q2. What are the recommended practices for enhancing BMC security?
The U.S. CISA, NSA, and Eclypsium recommend the following measures to strengthen BMC security:
- Avoid exposing Redfish, IPMI, and BMC interfaces directly to the internet.
- Limit BMC access to be allowed only through a dedicated management network.
- Restrict administrative access using firewalls and access control lists (ACLs).
- Regularly update BMC firmware and conduct routine inspections.
- Analyze BMC logs for anomalies such as unauthorized account creation or suspicious behavior.
Conclusion
Since the BMC is a core server management system, its vulnerabilities can put entire data center at risk. Administrators should enhance security by continuously detecting and monitoring threats using tools like Criminal IP and applying patches promptly. Failing to address these vulnerabilities could seriously endanger the security of data centers and vital company resources.
In relation to this, you can refer to CVE-2025-24813: Apache Tomcat RCE Vulnerability and Data Exposure.
Source: Criminal IP (https://www.criminalip.io/), CSO (https://www.csoonline.com/article/3848376/critical-vulnerability-in-ami-megarac-bmc-allows-servers-takeover.html), Eclypsium (https://eclypsium.com/blog/ami-megarac-vulnerabilities-bmc-part-3/)
Related article: