Actively Exploited Server Vulnerability Gives Extraordinary Control Over Server Fleets

Critical server vulnerability CVE-2024-54085 (CVSS 10.0) in AMI MegaRAC BMC firmware, discovered March 11, 2025, is actively exploited, CISA warns. The Redfish interface flaw allows attackers to bypass authentication, gaining control over servers from AMD, ARM, Fujitsu, Gigabyte, Supermicro, Qualcomm. It enables remote code execution, malware, ransomware, firmware tampering, potential server damage, or reboot loops. Affecting data centers, BMCs’ extensive control heightens risks. AMI patched on March 11, 2025; HPE, Lenovo adopted fixes, but patching requires downtime. Admins must urgently secure infrastructure.

Understanding the CVE-2024-54085 Server Vulnerability

The CVE-2024-54085 server vulnerability lies in the Redfish interface, a standardized protocol for remote server management used by AMI MegaRAC BMC firmware. BMCs are specialized microcontrollers embedded in servers to handle tasks like power management, OS reinstallation, and hardware monitoring, often operating independently of the main system. The flaw stems from a logic error in the Redfish implementation that fails to enforce proper authentication, allowing attackers to access critical management functions without credentials. This grants them unparalleled control over affected servers, including the ability to:

• Execute Remote Code: Run arbitrary commands to install malware or backdoors.
• Deploy Ransomware: Encrypt critical data and demand payment for decryption.
• Tamper with Firmware: Modify BMC firmware to create persistent threats or disrupt operations.
• Cause Physical Damage: Overload hardware components or induce reboot loops, potentially causing physical wear or downtime.

The vulnerability impacts servers from major vendors, including AMD, ARM, Fujitsu, Gigabyte, Supermicro, and Qualcomm, used in data centers worldwide. Its CVSS score of 10.0 reflects its critical severity, as it requires no user interaction and can be exploited remotely if BMCs are exposed to the public internet. The active exploitation reported by CISA underscores the immediate danger to organizations relying on these servers for critical operations, such as cloud computing, financial services, and healthcare systems.

Why This Server Vulnerability Exists

The root cause of this server vulnerability is a logic flaw in the Redfish interface’s authentication mechanism, which fails to validate user credentials properly. BMCs are high-value targets because they operate with elevated privileges, controlling core server functions even when the system is powered off. Several factors contribute to the vulnerability’s severity and exploitability:

• Misconfigurations in Deployment: Many organizations expose BMC interfaces to the public internet instead of isolating them on dedicated, secure management networks. Despite warnings from vendors and cybersecurity experts, cost-driven decisions or lack of expertise in smaller organizations lead to this common misconfiguration.
• Open-Source Components: The Redfish interface, built on open-source standards, allows attackers to analyze publicly available code to identify weaknesses. This transparency, while beneficial for collaboration, can accelerate vulnerability discovery.
• Delayed Patching: Applying BMC firmware updates requires server downtime, which is challenging for organizations running mission-critical systems. This delay extends the window of exposure, especially as exploit code often becomes public shortly after disclosure.
• Competitive Pressures: The rush to implement advanced management features, like Redfish, to compete in the server hardware market may lead to insufficient security testing, introducing logic flaws like CVE-2024-54085.

The combination of these factors makes BMCs a prime target for both financially motivated cybercriminals and nation-state actors aiming to disrupt critical infrastructure. The month-long gap between patch availability and widespread exploitation highlights the urgency of addressing this server vulnerability.

Broader Implications for Data Centers and Enterprises

The CVE-2024-54085 server vulnerability poses a significant threat to data centers, which are the backbone of modern enterprise operations. With thousands of servers potentially affected, a single compromised BMC could serve as a gateway to broader network attacks, enabling attackers to pivot to other systems or exfiltrate sensitive data. The consequences include:

• Operational Disruption: Indefinite reboot loops or firmware tampering can cause prolonged downtime, impacting service availability for customers and partners.
• Data Breaches: Attackers could access sensitive data stored on servers, leading to intellectual property theft or regulatory violations under frameworks like GDPR or HIPAA.
• Physical Damage: Overloading server components could result in hardware failure, requiring costly replacements and repairs.
• Supply Chain Attacks: Compromised servers could be used to propagate malware to other organizations, as seen in past incidents like the 2020 SolarWinds breach.

In 2024, CISA reported a 40% increase in attacks targeting critical infrastructure, with server management systems like BMCs becoming frequent targets. The open-source nature of Redfish and the widespread use of AMI MegaRAC firmware—estimated to be in over 50% of enterprise servers—amplifies the attack surface. This incident underscores the need for robust security practices in server management and the risks of exposing critical systems to the internet.

Actionable Steps to Mitigate the Server Vulnerability

To protect against CVE-2024-54085, administrators and organizations must act swiftly. Here are six actionable steps to secure server fleets:

1. Check BMC Exposure: Use network scanning tools to identify whether BMC interfaces are exposed to the public internet. If detected, isolate them on a dedicated management network with strict firewall rules.
2. Apply Patches Promptly: Download and install the latest AMI MegaRAC firmware patches released on March 11, 2025, or vendor-specific updates from HPE, Lenovo, or others. Plan for controlled downtime to minimize disruption.
3. Consult Vendor Guidance: Contact server vendors (e.g., AMD, Supermicro, Fujitsu) for specific patching instructions and verify compatibility with your hardware.
4. Implement Network Segmentation: Place BMCs on a separate VLAN or network segment to prevent unauthorized access, even if credentials are compromised.
5. Monitor for Suspicious Activity: Deploy intrusion detection systems (IDS) to monitor BMC traffic for signs of exploitation, such as unusual commands or connections to unknown IP addresses.
6. Adopt Zero-Trust Security: Enforce multi-factor authentication (MFA) and strict access controls for BMC interfaces, treating all access as potentially malicious.

Secure Your Server Fleets Now

The CVE-2024-54085 server vulnerability is a critical wake-up call for organizations relying on AMI MegaRAC BMCs. Protect your servers from this actively exploited flaw! Contact our cybersecurity experts today for a comprehensive assessment and tailored solutions to secure your infrastructure. Click here to schedule your free consultation. Subscribe to our blog for the latest threat updates and stay ahead of cyber risks. Get in touch now!