cbcvebase.
CVE-2024-54085
published 2025-03-11

CVE-2024-54085: AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-07-16
Exploited in the wild
EPSS
61.20%
99.0th percentile
AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.

Affected

4 ranges
VendorProductVersion rangeFixed in
amimegarac-spx>= 12.0 < 12.712.7
amimegarac-spx>= 13.0 < 13.513.5
amimegarac_sp-x>= 12 < 12.712.7
amimegarac_sp-x>= 13 < 13.513.5

Detection & IOCsextracted from sources · hover to see the quote

url/redfish/v1/
otherx-server-addr: <value containing colon followed by comma>
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER MegaRAC Redfish Authentication Bypass via X-Server-Addr Header (CVE-2024-54085)"; flow:established,to_server; http.uri; content:"/redfish/v1/"; fast_pattern; startswith; http.header; to_lowercase; content:"x-server-addr|3a 20|"; pcre:"/^[^\x3a\x0d\x0a]*?\x3a\s*\x2c/R"; reference:url,eclypsium.com/blog/ami-megarac-vulnerabilities-bmc-part-3/; reference:cve,2024-54085; classtype:web-application-attack; sid:2061010; rev:1; metadata:attack_target Server, created_at 2025_03_21, cve CVE_2024_54085, deployment Perimeter, deployment Internal, confidence High, signature_severity Critical, tag Exploit, updated_at 2025_03_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Monitor HTTP requests to the Redfish Host Interface (/redfish/v1/) for the presence of a manipulated 'X-Server-Addr' header. The exploit abuses this header to bypass BMC authentication.
  • The Snort/Suricata rule (sid:2061010) specifically detects the malformed X-Server-Addr header pattern where the value contains a colon followed by a comma, which is the authentication bypass trigger. Deploy on both perimeter and internal network segments.
  • Restrict network access to the BMC network interface to trusted networks only, as the vulnerability is exploitable remotely with no authentication and no user interaction required.
  • Affected hardware includes HPE Cray XD670, Asus RS720A-E11-RS24U, and ASRockRack devices. Prioritize detection and patching on these platforms.
  • Post-exploitation indicators include unexpected firmware updates, reboot loops, BIOS/UEFI changes, or malware deployment originating from BMC-level processes — all achievable without stopping by the victim.
  • ·MegaRAC BMC firmware binaries are not encrypted, making exploit development straightforward. Eclypsium noted that creating an exploit is 'not challenging.'
  • ·The Snort rule targets inbound HTTP traffic to $HOME_NET/$HTTP_SERVERS. Ensure BMC management interfaces are included in monitored network segments for this rule to be effective.
  • ·CISA's KEV remediation deadline for federal agencies is July 16, 2025. The AMI security advisory is available at https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdf

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.