New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking

Mar 18, 2025Ravie LakshmananVulnerability / Firmware Security

A critical security vulnerability has been disclosed in AMI’s MegaRAC Baseboard Management Controller (BMC) software that could allow an attacker to bypass authentication and carry out post-exploitation actions.

The vulnerability, tracked as CVE-2024-54085, carries a CVSS v4 score of 10.0, indicating maximum severity.

“A local or remote attacker can exploit the vulnerability by accessing the remote management interfaces (Redfish) or the internal host to the BMC interface (Redfish),” firmware security company Eclypsium said in a report shared with The Hacker News.

“Exploitation of this vulnerability allows an attacker to remotely control the compromised server, remotely deploy malware, ransomware, firmware tampering, bricking motherboard components (BMC or potentially BIOS/UEFI), potential server physical damage (over-voltage / bricking), and indefinite reboot loops that a victim cannot stop.”

The vulnerability can further be weaponized to stage disruptive attacks, causing susceptible devices to continually reboot by sending malicious commands. This could then pave the way for indefinite downtime until the devices are re-provisioned.

CVE-2024-54085 is the latest in a long list of security shortcomings that have been uncovered in AMI MegaRAC BMCs since December 2022. They have been collectively tracked as BMC&C –

Eclypsium noted that CVE-2024-54085 is similar to CVE-2023-34329 in that it allows for an authentication bypass with a similar impact. The vulnerability has been confirmed to affect the below devices –

• HPE Cray XD670
• Asus RS720A-E11-RS24U
• ASRockRack

AMI has released patches to address the flaw as of March 11, 2025. While there is no evidence that the issue has been exploited in the wild, it’s essential that downstream users update their systems once OEM vendors incorporate these fixes and release them to their customers.

“Note that patching these vulnerabilities is a non-trivial exercise, requiring device downtime,” Eclypsium said. “The vulnerability only affects AMI’s BMC software stack. However, since AMI is at the top of the BIOS supply chain, the downstream impact affects over a dozen manufacturers.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!