A key security flaw has been discovered in AMI’s MegaRAC Baseboard Management Controller ( BMC) software, which could allow an intruder to bypass identification and carry out post-exploitation operations.
A CVSS v4 rating of 10 indicates greatest intensity for the risk, which is identified as .
According to firmware security company Eclypsium, a local or remote attacker can “exploit the vulnerability by accessing the remote management interfaces ( Redfish ) or the internal host to the BMC interface ( Redfish ),” according to a report released to The Hacker News.
An attacker can remotely manage the compromised server, remotely deploy ransomware, firmware tampering, bricking motherboard components ( BMC or possibly BIOS/UEFI), server physical damage ( over-voltage or bricking ), and indefinite reboot loops that a victim can’t stop with the exploitation of this vulnerability.
Additionally, the vulnerability can be used to launch destructive attacks, causing vulnerable devices to repeatedly reboot by executing destructive commands. This may then lead to endless interruption until the devices are re-provisioned.
The most recent safety flaw discovered in AMI MegaRAC BMCs since December 2022 is CVE-2024-54085, the most recent in a long list of safety flaws. They have been tracked as BMC&, C-, and C- as a whole.
According to Eclypsium, CVE-2024-54085 shares a similar effect to CVE-2023-34329 in that it allows for an identification pass. The following products have been confirmed to be affected by the frailty:
- HPE Cray XD670
- Asus RS720A-E11-RS24U
- ASRockRack
AMI has released areas to fix the issue as of March 11, 2025. After OEM vendors incorporate these changes and transfer them to their customers, it’s crucial that river users update their systems, even though there is no proof that the problem has been exploited in the wild.
Notice that machine downtime is required when patching these vulnerabilities, according to Eclypsium. The risk simply affects AMI’s BMC technology load. The river effect, however, affects over a hundred companies because AMI is at the top of the BIOS supply chain.