CVE-2024-54085
published 2025-03-11CVE-2024-54085: AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-07-16
Exploited in the wild
EPSS
61.20%
99.0th percentile
AMI’s SPx contains
a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation
of this vulnerability may lead to a loss of confidentiality, integrity, and/or
availability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ami | megarac-spx | >= 12.0 < 12.7 | 12.7 |
| ami | megarac-spx | >= 13.0 < 13.5 | 13.5 |
| ami | megarac_sp-x | >= 12 < 12.7 | 12.7 |
| ami | megarac_sp-x | >= 13 < 13.5 | 13.5 |
Detection & IOCsextracted from sources · hover to see the quote
url/redfish/v1/
otherx-server-addr: <value containing colon followed by comma>
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER MegaRAC Redfish Authentication Bypass via X-Server-Addr Header (CVE-2024-54085)"; flow:established,to_server; http.uri; content:"/redfish/v1/"; fast_pattern; startswith; http.header; to_lowercase; content:"x-server-addr|3a 20|"; pcre:"/^[^\x3a\x0d\x0a]*?\x3a\s*\x2c/R"; reference:url,eclypsium.com/blog/ami-megarac-vulnerabilities-bmc-part-3/; reference:cve,2024-54085; classtype:web-application-attack; sid:2061010; rev:1; metadata:attack_target Server, created_at 2025_03_21, cve CVE_2024_54085, deployment Perimeter, deployment Internal, confidence High, signature_severity Critical, tag Exploit, updated_at 2025_03_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Monitor HTTP requests to the Redfish Host Interface (/redfish/v1/) for the presence of a manipulated 'X-Server-Addr' header. The exploit abuses this header to bypass BMC authentication. ↗
- →The Snort/Suricata rule (sid:2061010) specifically detects the malformed X-Server-Addr header pattern where the value contains a colon followed by a comma, which is the authentication bypass trigger. Deploy on both perimeter and internal network segments.
- →Restrict network access to the BMC network interface to trusted networks only, as the vulnerability is exploitable remotely with no authentication and no user interaction required. ↗
- →Affected hardware includes HPE Cray XD670, Asus RS720A-E11-RS24U, and ASRockRack devices. Prioritize detection and patching on these platforms. ↗
- →Post-exploitation indicators include unexpected firmware updates, reboot loops, BIOS/UEFI changes, or malware deployment originating from BMC-level processes — all achievable without stopping by the victim. ↗
- ·MegaRAC BMC firmware binaries are not encrypted, making exploit development straightforward. Eclypsium noted that creating an exploit is 'not challenging.' ↗
- ·The Snort rule targets inbound HTTP traffic to $HOME_NET/$HTTP_SERVERS. Ensure BMC management interfaces are included in monitored network segments for this rule to be effective.
- ·CISA's KEV remediation deadline for federal agencies is July 16, 2025. The AMI security advisory is available at https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdf ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vcgc-h73q-2m2p: AMI’s SPx contains
a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface
ghsa_unreviewed·2025-03-11
CVE-2024-54085 [CRITICAL] CWE-290 GHSA-vcgc-h73q-2m2p: AMI’s SPx contains
a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface
AMI’s SPx contains
a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation
of this vulnerability may lead to a loss of confidentiality, integrity, and/or
availability.
VulnCheck
AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
vulncheck·2024·CVSS 10.0
CVE-2024-54085 [CRITICAL] CWE-290 AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
AMI MegaRAC SPx contains an authentication bypass by spoofing vulnerability in the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.
Affected: AMI MegaRAC SPx
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://eclypsium.com/blog/bmc-vulnerability-cve-2024-05485-cisa-known-exploited-vulnerabilities/; https://eclypsium.com/blog/white-house-ai-cybersecurity-plan-takeaways/; https://www.kel
CISA
AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
cisa·2025-06-25·CVSS 10.0
CVE-2024-54085 [CRITICAL] CWE-290 AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
Vulnerability: AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
Affected: AMI MegaRAC SPx
AMI MegaRAC SPx contains an authentication bypass by spoofing vulnerability in the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdf ; https://
CISA ICS
Siemens IPC RS-828A
cisa_ics·2025-05-15·CVSS 9.8
[CRITICAL] Siemens IPC RS-828A
ICS Advisory
##
Siemens IPC RS-828A
Release DateMay 15, 2025
Alert CodeICSA-25-135-07
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: IPC RS-828A
- Vulnerability: Authentication Bypass by Spoofing
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could al
Suricata
ET WEB_SERVER MegaRAC Redfish Authentication Bypass via X-Server-Addr Header (CVE-2024-54085)
suricata·2025-03-21·CVSS 10.0
CVE-2024-54085 [CRITICAL] ET WEB_SERVER MegaRAC Redfish Authentication Bypass via X-Server-Addr Header (CVE-2024-54085)
ET WEB_SERVER MegaRAC Redfish Authentication Bypass via X-Server-Addr Header (CVE-2024-54085)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER MegaRAC Redfish Authentication Bypass via X-Server-Addr Header (CVE-2024-54085)"; flow:established,to_server; http.uri; content:"/redfish/v1/"; fast_pattern; startswith; http.header; to_lowercase; content:"x-server-addr|3a 20|"; pcre:"/^[^\x3a\x0d\x0a]*?\x3a\s*\x2c/R"; reference:url,eclypsium.com/blog/ami-megarac-vulnerabilities-bmc-part-3/; reference:cve,2024-54085; classtype:web-application-attack; sid:2061010; rev:1; metadata:attack_target Server, created_at 2025_03_21, cve CVE_2024_54085, deployment Perimeter, deployment Internal, confidence High, signature_severity Critical, tag Exploit, updated_at 2025_03_21, mitr
No public exploits indexed.
Bleepingcomputer
CISA: AMI MegaRAC bug enabling server hijacks exploited in attacks
blogs_bleepingcomputer·2025-06-26·CVSS 9.1
[CRITICAL] CISA: AMI MegaRAC bug enabling server hijacks exploited in attacks
## CISA: AMI MegaRAC bug enabling server hijacks exploited in attacks
## Sergiu Gatlan
CISA has confirmed that a maximum severity vulnerability in AMI's MegaRAC Baseboard Management Controller (BMC) software is now actively exploited in attacks.
The MegaRAC BMC firmware provides remote system management capabilities for troubleshooting servers without being physically present, and it's used by several vendors (including HPE, Asus, and ASRock) that supply equipment to cloud service providers and data centers.
This authentication bypass security flaw (tracked as CVE-2024-54085 ) can be exploited by remote unauthenticated attackers in low-complexity attacks that don't require user interaction to hijack and potentially brick unpatched servers.
"Exploitation of this vulnerability allows an
Bleepingcomputer
ASUS releases fix for AMI bug that lets hackers brick servers
blogs_bleepingcomputer·2025-04-23·CVSS 10.0
[CRITICAL] ASUS releases fix for AMI bug that lets hackers brick servers
## ASUS releases fix for AMI bug that lets hackers brick servers
## Bill Toulas
"A local or remote attacker can exploit the vulnerability by accessing the remote management interfaces (Redfish) or the internal host to the BMC interface (Redfish)," explained Eclypsium in a related report .
"Exploitation of this vulnerability allows an attacker to remotely control the compromised server, remotely deploy malware, ransomware, firmware tampering, bricking motherboard components (BMC or potentially BIOS/UEFI), potential server physical damage (over-voltage / bricking), and indefinite reboot loops that a victim cannot stop."
Though AMI released a bulletin along with patches on March 11, 2025, time was needed for impacted OEMs to implement the fixes on their products.
Today, ASUS announced th
Checkpoint
24th March – Threat Intelligence Report
blogs_checkpoint·2025-03-24
CVE-2024-48248 24th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 24th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 24th March, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Municipalities in four US states experienced cyberattacks that disrupted services for county offices, courts, and schools. Cleveland Municipal Court was hit by Qilin ransomware attack, forcing employees offline and delaying trials, while Strafford County, Pelham School District, and Derby Police Department also reported servi
Bleepingcomputer
Critical AMI MegaRAC bug can let attackers hijack, brick servers
blogs_bleepingcomputer·2025-03-18·CVSS 9.1
[CRITICAL] Critical AMI MegaRAC bug can let attackers hijack, brick servers
## Critical AMI MegaRAC bug can let attackers hijack, brick servers
## Sergiu Gatlan
A new critical severity vulnerability found in American Megatrends International's MegaRAC Baseboard Management Controller (BMC) software can let attackers hijack and potentially brick vulnerable servers.
MegaRAC BMC provides "lights-out" and "out-of-band" remote system management capabilities that help admins troubleshoot servers as if they were physically in front of the devices. The firmware is used by over a dozen server vendors that provide equipment to many cloud service and data center providers, including HPE, Asus, ASRock, and others.
Remote unauthenticated attackers can exploit this maximum severity security flaw (tracked as CVE-2024-54085 ) in low-complexity attacks that don't require user
Greynoiseio
NoiseLetter July 2025
blogs_greynoiseio
NoiseLetter July 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdfhttps://arstechnica.com/security/2025/06/active-exploitation-of-ami-management-tool-imperils-thousands-of-servers/https://eclypsium.com/blog/bmc-vulnerability-cve-2024-05485-cisa-known-exploited-vulnerabilities/https://security.netapp.com/advisory/ntap-20250328-0003/https://www.bleepingcomputer.com/news/security/cisa-ami-megarac-bug-that-lets-hackers-brick-servers-now-actively-exploited/https://www.networkworld.com/article/4013368/ami-megarac-authentication-bypass-flaw-is-being-exploitated-cisa-warns.htmlhttps://nvd.nist.gov/vuln/detail/CVE-2024-54085https://security.netapp.com/advisory/ntap-20250328-0003/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-54085
2025-03-11
Published
2025-06-25
Added to CISA KEV
Exploited in the wild