Critical authentication bypass vulnerability in AMI MegaRAC BMC software

A critical severity vulnerability, has been discovered in American Megatrends International's (AMI) MegaRAC Baseboard Management Controller (BMC) software. 

The flaw is tracked as CVE-2024-54085 (CVSS v4 score 10.0) and is a remote authentication bypass flaw that allows unauthenticated attackers to take complete control of vulnerable servers without requiring user interaction. The vulnerability exists in a file named /usr/local/redfish/extensions/host-interface/host-interface-support-module.lua within the MegaRAC firmware. Security researchers at Eclypsium discovered that the code processes the "X-Server-Addr" or "Host" HTTP headers in an insecure manner:

An attacker can craft a request with an "X-Server-Addr" header value that begins with "169.254.0.17:" (which matches the default database entry). Due to a regex expression that extracts everything up to the first colon, this bypasses the authentication mechanism completely.

The vulnerability affects AMI's MegaRAC BMC software, which provides "lights-out" and "out-of-band" remote system management capabilities. It has been confirmed to affect:

• HPE Cray XD670 (firmware versions 1.09, 1.13, and 1.17)
• Asus RS720A-E11-RS24U (firmware version 1.2.27)
• ASRockRack devices

Researchers note that "there are likely to be more affected devices and/or vendors" since MegaRAC BMC firmware is used by over a dozen server vendors that supply equipment to many cloud service and data center providers.

Successful exploitation of this vulnerability enables attackers to remotely control compromised servers, deploy malware or ransomware, ramper with firmware, brick motherboard components (BMC or potentially BIOS/UEFI), create indefinite reboot loops that victims cannot stop and even cause physical damage through over-voltage.

Since AMI is "at the top of the BIOS supply chain," vulnerabilities in their components affect many hardware vendors, which in turn impacts numerous cloud services. Organizations most at risk include those with:

• Large server farms
• Data centers
• Cloud and hosting providers
• Hyper-scaler environments
• Fortune 500 companies that host their own data centers

Using Shodan, Eclypsium researchers identified over 1,000 servers online that are potentially exposed to internet attacks. While they report that no known exploits have been observed in the wild so far, they caution that "exploits themselves are not challenging to create once the vulnerability is located" because the firmware binaries are not encrypted.

AMI released patches on March 11, 2025. These patches have been provided to OEM computing manufacturers who must incorporate them into updates for their customers. Users are advised to:

• Apply available patches as soon as possible
• Ensure that all remote server management interfaces are not exposed externally
• Restrict internal access to administrative users with ACLs or firewalls
• Perform regular software and firmware updates
• Monitor logs for unexpected behavior such as new account creation
• Check that new equipment has high-severity vulnerabilities patched

Eclypsium notes that "patching these vulnerabilities is a non-trivial process, requiring device downtime."

Update - As of 20th of March 2025, Hewlett Packard Enterprise (HPE) was among the first to address the issue, releasing a patch for its HPE Cray XD670 systems.

Asus has released updates to patch this flaw

• PRO WS W790E-SAGE SE – version 1.1.57 (download from here)
• PRO WS W680M-ACE SE – version 1.1.21(download from here)
• PRO WS WRX90E-SAGE SE – version 2.1.28 (download from here)
• Pro WS WRX80E-SAGE SE WIFI – version 1.34.0 (download from here)

Lenovo released its patch, on April 17. 

Dell has confirmed that its systems are not affected by the MegaRAC vulnerability because Dell uses its own proprietary Integrated Dell Remote Access Controller (iDRAC) technology in its server products rather than AMI's MegaRAC.