CVE-2024-54085

What is AMI MegaRAC SPx?

American Megatrends International (AMI) MegaRAC SPx is a Baseboard Management Controller (BMC) firmware platform used in enterprise servers from major OEMs — Dell, HPE, ASRock Rack, Lenovo, Supermicro, and others. A BMC is a dedicated microcontroller embedded in server motherboards that provides out-of-band management: remote power control, console access, hardware monitoring, and firmware updates — all independent of the main host operating system. AMI's MegaRAC is the market-leading BMC firmware platform.

BMC vulnerabilities represent the highest-severity class of server vulnerabilities: a compromised BMC persists through OS reinstalls, can flash malicious firmware, and provides covert persistent access to the physical server. BMC firmware compromise is an attacker's dream for long-term infrastructure persistence.

Overview

CVE-2024-54085 — part of the "MegaRACE" vulnerability family named by Eclypsium — is an authentication bypass by spoofing vulnerability (CWE-290) in AMI MegaRAC SPx's Redfish Host Interface. The Redfish Host Interface is an in-band communication channel between the host OS and the BMC, normally accessible only from the host system. The vulnerability allows a remote unauthenticated attacker to spoof this interface and bypass BMC authentication, gaining full Redfish API access. With BMC control, an attacker can flash malicious firmware, brick servers, exfiltrate server credentials, and establish persistence that survives OS reinstalls.

Affected Versions

OEM-specific patching: AMI provides BMC firmware to OEM server vendors who build their own management firmware on top (Dell iDRAC, HPE iLO, etc.). Patches are distributed through each OEM's BMC firmware update mechanism — not directly from AMI. Check your server vendor's BMC firmware advisory for the specific patched version.

Technical Details

The authentication bypass by spoofing (CWE-290) exploits the Redfish Host Interface — an IPMI/Redfish API channel that runs over an internal "virtual USB" connection between the host OS and the BMC. This interface is designed to be accessible only from software running on the physical host server. The vulnerability allows a remote attacker to spoof/impersonate this host-side interface, making the BMC believe the request comes from the host system rather than the network.

By bypassing authentication via this spoof, the attacker gains full Redfish API access, which provides:

• Power control (shutdown, reboot, power cycle)
• Virtual KVM console access
• Remote media mounting (boot arbitrary ISO images)
• Firmware flashing (update/replace BMC firmware with malicious version)
• User management (create new BMC administrator accounts)
• Access to server hardware sensors and serial console

Persistence through firmware flash: The most dangerous outcome is flashing a malicious BMC firmware image — the attacker's code persists in the BMC, surviving OS reinstalls, disk replacements, and hypervisor reinstalls. Only physical access or a clean BMC firmware re-flash from trusted media can remove it.

Discovery

Eclypsium Research, who coined the "MegaRACE" vulnerability family name for a series of AMI MegaRAC vulnerabilities they discovered. Eclypsium specializes in firmware and hardware security.

Exploitation Context

CISA confirmed active exploitation and added to the KEV catalog on June 25, 2025, with a 21-day deadline. Data center infrastructure and cloud provider server hardware are the primary targets — BMC vulnerabilities enable persistent, stealthy compromise of physical servers that is extremely difficult to detect and remediate. The confirmed exploitation context is consistent with nation-state actors targeting data center infrastructure for long-term presence.

Remediation

1. Apply BMC firmware patches from your server OEM immediately — check Dell, HPE, ASRock, Lenovo, Supermicro, or your server vendor's security portal for the patched BMC firmware version. The CISA deadline was July 16, 2025.
2. Isolate the BMC network — BMC management interfaces should be on a dedicated out-of-band management network, never reachable from general enterprise networks or the internet.
3. Audit BMC user accounts for unexpected new administrator accounts created after the compromise window.
4. Verify BMC firmware integrity — compare BMC firmware hash against the vendor's known-good value for your model and version.
5. Monitor BMC access logs for authentication events from unexpected source IP addresses.
6. Assume persistence if the BMC was network-accessible to untrusted hosts before patching — a compromised BMC may have been reflashed with malicious firmware, requiring physical intervention for complete remediation.