The critical safety vulnerability has been disclosed in the MEGARAC AMI (BMC) software management software, which can allow the attacker to bypass authentication and carry out actions after operation.
Vulnerability tracked as Cve-2024-54085Carnate CVSS V4 10.0, indicating the maximum burden.
“Local or remote attacker can use vulnerability by accessing remote control (Redfish) or internal host BMC (Redfish)”, “Company Showare Security Company Eclypsium – Note In a report that shared with Hacker News.
“The operation of this vulnerability allows the attacker to remotely control the compromised server, remotely deploy malicious software, required software, firmware firming, bizarre components of the motherboard (BMC or potentially BIOS / UEFI), potential physical damage to the server Reboot that cannot stop. “
The vulnerability can be armed for devastating attacks, causing the sensitive devices to be constantly restarting, sending malicious teams. Then this can pave the way to uncertain downtime until the devices are re -.
The CVE-2024-54085-Apostle in the long list of security deficiencies, which have been found in BMC AMI Megaac since December 2022. They were collectively tracked as BMC & C-
Eclypsium noted that the CVE-2024-54085 is similar to the CVE-2023-34329 because it allows you to undergo authentication with similar impact. The vulnerability has been confirmed what affects the devices below – –
- HPE Cray XD670
- Asus RS720A-E11-RS24U
- Asrockrack
AMI has Released patches To solve the lack of March 11, 2025. While there is no evidence that the problem has been used in the wild, it is important that users down the current update their systems when OEM providers include these fixes and release them to customers.
“Please note that the correction of these vulnerabilities is a non-trivial exercise that requires the downtime of the device,” Ellipseya said. “The vulnerability only affects the BMC AMI software stack. However, because Ami is at the top of the BIOS supply chain, the exposure to the downstream affects the dozen manufacturers.”
