A critical vulnerability in American Megatrends International’s (AMI) MegaRAC Baseboard Management Controller (BMC) software poses a severe risk to data centers and cloud service providers. This security flaw, tracked as CVE-2024-54085, allows remote attackers to hijack and potentially disable vulnerable servers completely.
What is MegaRAC BMC and Why It’s Critical?
MegaRAC BMC is widely used by server vendors such as HPE, Asus, and ASRock, enabling administrators to manage servers remotely, even when they are powered down. This makes it an essential tool for troubleshooting but also a prime target for cybercriminals.
Security researchers from Eclypsium warn that this vulnerability can be exploited remotely without authentication, making it a high-risk issue. Attackers can gain full control over affected servers, install malware, corrupt firmware, or even cause irreversible hardware damage.
CVE-2024-54085
According to Eclypsium’s report, attackers can exploit this flaw by accessing MegaRAC’s Redfish management interfaces. This allows them to:
Remotely control compromised servers
Deploy malware or ransomware
Corrupt firmware (BMC, BIOS/UEFI)
Induce voltage fluctuations that could physically damage hardware
Trigger indefinite reboot loops, rendering systems unusable
The vulnerability was discovered while analyzing patches for CVE-2023-34329, another authentication bypass flaw disclosed in July 2023. Eclypsium has confirmed that several server models, including HPE Cray XD670, Asus RS720A-E11-RS24U, and ASRockRack, remain vulnerable if left unpatched.
Scale of the Threat
Using Shodan, a tool for finding exposed devices on the internet, security analysts identified over 1,000 servers vulnerable to remote attacks. Given AMI’s widespread adoption, the actual number of affected systems could be significantly higher.
This is not the first time MegaRAC vulnerabilities have been uncovered. In December 2022 and January 2023, Eclypsium researchers reported five critical security flaws (CVE-2022-40259, CVE-2022-40242, CVE-2022-2827, CVE-2022-26872, and CVE-2022-40258) that attackers could exploit to hijack and brick servers. Later, in July 2023, another vulnerability, CVE-2023-34330, was found that allowed code injection via the Redfish interface.
Among these, CVE-2022-40258 is particularly concerning as it involves weak password hashing, making it easier for hackers to crack admin credentials and launch attacks more efficiently.
No Exploits in the Wild – Yet
Fortunately, there are no known real-world attacks using CVE-2024-54085 at this time. However, researchers warn that developing an exploit would be relatively easy, as AMI’s firmware binaries are not encrypted.
How to Protect Your Servers
Organizations using AMI MegaRAC should take immediate action to patch their systems and reduce exposure. Security experts recommend:
Applying the latest security patches released on March 11 by AMI, Lenovo, and HPE.
Restricting internet exposure of MegaRAC BMC instances to prevent remote exploitation.
Monitoring server logs for unusual activity that might indicate an attack attempt.
Working with OEM vendors to ensure proper security updates are implemented.
A Complex Patching Process
While AMI has issued patches to its OEM customers, applying these fixes is not straightforward. Vendors must integrate the patches into their firmware updates, and users need to schedule downtime to update their servers.
Final Thoughts
The CVE-2024-54085 vulnerability highlights the growing risks associated with BMC software. As cyber threats continue to evolve, organizations must remain vigilant in securing remote management interfaces and ensuring timely updates to their infrastructure.
With cloud service providers and data centers relying heavily on AMI MegaRAC, failure to patch this critical flaw could lead to catastrophic security breaches. Organizations must act now to mitigate potential attacks and protect their systems from being hijacked or permanently disabled.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Critical Apache Tomcat RCE Flaw (CVE-2025-24813) Actively Exploited