CISA Warns: Critical AMI MegaRAC Firmware Flaw (CVE-2024-54085, CVSS 10.0) Actively Exploited for Server Takeover
Hackers have begun actively exploiting a critical vulnerability that grants them full control over thousands of servers, including those performing vital functions in data centers. This alarming development has prompted a warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The flaw resides in the AMI MegaRAC firmware, a component used for remote management of extensive server fleets. Embedded within microcontrollers on motherboards—commonly referred to as Baseboard Management Controllers (BMCs)—this firmware allows administrators to perform operations even when the operating system is unresponsive or the server is powered down.
Through these controllers, one can reinstall operating systems, modify configurations, and launch applications—all without physical access to the server. Compromising a single controller may suffice to infiltrate the internal network and compromise the broader infrastructure.
The vulnerability, cataloged as CVE-2024-54085, has received the maximum severity rating of 10 out of 10. It enables an attacker to bypass authentication simply by sending a crafted HTTP request to a vulnerable device. The security firm Eclypsium discovered the flaw and disclosed it in March, providing a functional exploit capable of creating an administrator account without a password. At the time, no active exploitation had been observed.
On June 26, the flaw was officially added to CISA’s Known Exploited Vulnerabilities catalog, indicating that real-world attacks are now underway. While CISA has withheld specific details, Eclypsium believes the scope of these attacks could be extensive.
According to their findings, attackers can leverage chains of vulnerabilities to implant malicious code directly into the BMC firmware. This makes the compromise virtually invisible and persistent—even surviving operating system reinstalls and disk replacements. Such attacks evade antivirus tools and monitoring systems, allowing adversaries to remotely power on, shut down, or reboot servers, regardless of the OS state.
The implications are grave: stolen credentials, servers repurposed as footholds into internal networks, and firmware sabotage capable of rendering hardware inoperable. These risks are particularly severe for enterprise and cloud environments.
Researchers suspect Chinese cyber-espionage groups—well known for targeting firmware vulnerabilities—may be behind the attacks. Affected hardware vendors include AMD, Ampere, ASRock, ARM, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm. While some have already issued patches, many have not.
Experts urge administrators to audit all devices using BMCs within their infrastructures. Given the broad range of potentially affected manufacturers, it is recommended to contact vendors directly for confirmation and guidance regarding the vulnerability.
