CISA Warns: AMI MegaRAC Bug Exploited in Server Hijacks
▼ Summary
– CISA confirmed a critical vulnerability (CVE-2024-54085) in AMI’s MegaRAC BMC software is being actively exploited, allowing remote server hijacking.
– The flaw affects multiple vendors (e.g., HPE, Asus, ASRock) and enables attackers to deploy malware, tamper firmware, or brick servers without authentication.
– Eclypsium discovered the vulnerability while analyzing patches for a similar bug (CVE-2023-34329) and found over 1,000 exposed servers online.
– CISA added the flaw to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by July 16 under BOD 22-01.
– All organizations, not just federal agencies, are urged to patch immediately due to the high risk of exploitation and severe potential impacts.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about active exploitation of a critical vulnerability in AMI’s MegaRAC Baseboard Management Controller (BMC) software, putting servers at risk of takeover and sabotage.
This high-severity flaw, identified as CVE-2024-54085, allows attackers to bypass authentication and gain remote control of vulnerable systems without requiring user interaction. MegaRAC BMC firmware, widely used by major hardware vendors like HPE, Asus, and ASRock, enables remote server management—making it a prime target for cybercriminals targeting cloud providers and data centers.
Successful exploitation could lead to devastating consequences, including malware deployment, ransomware attacks, firmware manipulation, and even permanent hardware damage. Researchers from Eclypsium, who uncovered the vulnerability, warn that attackers could force servers into irreversible reboot loops or brick critical components like the BMC or BIOS/UEFI.
The flaw was discovered during an analysis of patches for a related vulnerability (CVE-2023-34329) disclosed last year. Despite AMI releasing fixes in March, Eclypsium found over 1,000 exposed servers still vulnerable, noting that exploiting the flaw is relatively straightforward due to unencrypted firmware binaries.
CISA has now added CVE-2024-54085 to its Known Exploited Vulnerabilities catalog, confirming active attacks in the wild. Federal agencies must apply patches by July 16, as mandated by Binding Operational Directive (BOD) 22-01. While the directive applies specifically to government networks, all organizations are urged to prioritize updates to mitigate the threat.
Eclypsium emphasized that while the flaw directly impacts AMI’s BMC software, its widespread adoption means dozens of downstream manufacturers and their customers are at risk. With attackers already leveraging the vulnerability, delaying patches could result in catastrophic system compromises.
CISA reiterated that such flaws are frequently exploited by threat actors and pose severe risks to critical infrastructure. Proactive mitigation is essential to prevent large-scale disruptions.
(Source: BLEEPINGCOMPUTER)
