CVE-2024-54085

CriticalCISA KEVActive Exploitation

Published: 11 March 2025

Published

11 March 2025

Modified

05 November 2025

KEV Added

25 June 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.4297 97.5th percentile

Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may modify component firmware to persist on systems.

Security Summary

CVE-2024-54085 is a vulnerability in AMI's SPx service processor, specifically within the Baseboard Management Controller (BMC), that enables an attacker to bypass authentication remotely via the Redfish Host Interface. Published on 2025-03-11, it is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-290 (Authentication Bypass). Successful exploitation can lead to loss of confidentiality, integrity, and/or availability of the affected system.

The vulnerability can be exploited by any unauthenticated remote attacker over the network with low complexity and no user interaction required. Upon bypassing authentication, an attacker gains unauthorized access to the BMC, potentially achieving high-impact effects including data exposure, modification of system configurations, and disruption of services.

Advisories from AMI (AMI-SA-2025003) and affected vendors like NetApp (ntap-20250328-0003) provide details on mitigation, including available patches and remediation steps for the SPx BMC component.

Multiple reports highlight active real-world exploitation of CVE-2024-54085, including its addition to CISA's Known Exploited Vulnerabilities catalog. Coverage from Ars Technica, Eclypsium, and BleepingComputer notes that it imperils thousands of servers, with attackers able to brick systems via the AMI MegaRAC management tool.

Details

CWE(s): CWE-290
KEV Date Added: 25 June 2025

Affected Products

ami

megarac sp-x

12 — 12.7 · 13 — 13.5

netapp

h300s firmware

all versions

netapp

h500s firmware

all versions

netapp

h700s firmware

all versions

netapp

h410s firmware

all versions

netapp

h410c firmware

all versions

netapp

sg6160 firmware

all versions

netapp

sgf6112 firmware

all versions

netapp

sg110 firmware

all versions

netapp

sg1100 firmware

all versions

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1136.001 Local Account Persistence

Adversaries may create a local account to maintain access to victim systems.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1003 OS Credential Dumping Credential Access

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.

attack.mitre.org →

T1040 Network Sniffing Credential Access

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.

attack.mitre.org →

T1529 System Shutdown/Reboot Impact

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

attack.mitre.org →

T1495 Firmware Corruption Impact

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or…

attack.mitre.org →

T1542.002 Component Firmware Stealth

Adversaries may modify component firmware to persist on systems.

attack.mitre.org →

Why these techniques?

CVE-2024-54085 enables remote authentication bypass on BMC Redfish interface, facilitating public-facing app exploitation (T1190), remote service exploitation (T1210), local account creation (T1136.001), OS credential dumping via memory access (T1003), network sniffing (T1040), system shutdown/reboot (T1529), firmware corruption (T1495), and component firmware persistence (T1542.002).

References

https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdf
Vendor Advisory · biossecurity@ami.com
https://arstechnica.com/security/2025/06/active-exploitation-of-ami-management-tool-imperils-thousands-of-servers/
Press/Media Coverage, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://eclypsium.com/blog/bmc-vulnerability-cve-2024-05485-cisa-known-exploited-vulnerabilities/
Press/Media Coverage, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://security.netapp.com/advisory/ntap-20250328-0003/
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.bleepingcomputer.com/news/security/cisa-ami-megarac-bug-that-lets-hackers-brick-servers-now-actively-exploited/
Press/Media Coverage, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.networkworld.com/article/4013368/ami-megarac-authentication-bypass-flaw-is-being-exploitated-cisa-warns.html
Press/Media Coverage, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://nvd.nist.gov/vuln/detail/CVE-2024-54085
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://security.netapp.com/advisory/ntap-20250328-0003/
Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-54085
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0