Digital Event Horizon
A critical AMI MegaRAC firmware vulnerability has allowed hackers to gain complete control over thousands of servers used in data centers. The severity rating is the highest, with potential for broad exploitation, including implanting malicious code into firmware and corrupting devices.
Thousands of servers are vulnerable to a severe vulnerability affecting data centers, many of which are crucial.The AMI MegaRAC firmware package is at the center of this issue, allowing remote access and management without physical presence.A vulnerability (CVE-2024-54085) allows authentication bypasses through simple web requests, making it easy for attackers to gain control.Attackers can perform various malicious actions, including rebooting/reimagining servers, evading endpoint protection tools, and corrupting firmware.Some vendors have not released patches yet, and admins should check with their manufacturer to determine the status of their networks.The suspected culprits behind these exploits are espionage groups working on behalf of the Chinese government due to past histories of exploiting firmware vulnerabilities.Admins are advised to thoroughly examine all BMCs in their fleets to ensure they aren't vulnerable to exploitation and take proactive measures to secure their networks.
The cybersecurity world has been abuzz lately with news of a severe vulnerability affecting thousands of servers, many of which are crucial to data centers. According to recent warnings from the US Cybersecurity and Infrastructure Security Agency (CISA), hackers have taken advantage of this vulnerability to gain complete control over these server fleets.
The AMI MegaRAC firmware package is at the center of this issue. This widely used tool allows administrators to remotely access and manage servers without physical presence, using motherboard-attached microcontrollers known as baseboard management controllers (BMCs). BMCs give extraordinary control over servers inside data centers, making them a prime target for malicious actors.
The vulnerability in question, CVE-2024-54085, is rated at a maximum severity of 10 out of 10. Discovered by security firm Eclypsium and disclosed in March, it allows for authentication bypasses through simple web requests to vulnerable BMC devices over HTTP. This means that without providing any authentication credentials, an attacker can create an admin account.
In recent updates, CISA has added CVE-2024-54085 to its list of known exploited vulnerabilities. Eclypsium researchers have warned that the scope of these exploits is potentially broad and could include chaining multiple BMC attacks to implant malicious code directly into the firmware, making it difficult to detect their presence.
Attackers with access to the BMC can perform various malicious actions, such as rebooting or reimagining servers, evading endpoint protection tools, and even corrupting firmware. This not only disrupts server operations but also puts sensitive data at risk due to BMC access allowing for sniffing system memory and network interfaces.
It is worth noting that some vendors, including AMD, Ampere Computing, ASRock, ARM, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm, use products affected by this vulnerability. However, not all have released patches yet. Admins are advised to check with their manufacturer if they're unsure about the status of their networks.
With no publicly disclosed information on ongoing attacks, it remains unclear which groups might be behind these exploits. Eclypsium suspects espionage groups working on behalf of the Chinese government as likely culprits due to past histories of exploiting firmware vulnerabilities and gaining persistent access to high-value targets.
In light of this severity, admins should thoroughly examine all BMCs in their fleets to ensure they aren't vulnerable to exploitation. Given the wide range of affected server makers and the potential damage possible from this vulnerability, it's crucial for organizations to take proactive measures to secure their networks.
Ars Technica will continue to monitor updates on this issue and provide further insights as necessary.
Related Information:
https://www.digitaleventhorizon.com/articles/AMIG-MegaRAC-Vulnerability-A-Threat-to-Server-Security-deh.shtml
https://arstechnica.com/security/2025/06/active-exploitation-of-ami-management-tool-imperils-thousands-of-servers/
Published: Thu Jun 26 18:55:25 2025 by llama3.2 3B Q4_K_M
