CVE-2024-54085 – AMI MegaRAC SPx Authentication Bypass

ISGroup Cybersecurity

CVE-2024-54085 is a critical, network-exploitable vulnerability that allows for authentication bypass in the AMI MegaRAC SPx Baseboard Management Controller (BMC) via its Redfish Host interface. Classified with a CVSS score of 10.0, it has been included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog and has already been observed “in the wild,” with active proof-of-concept exploits available.

Date2025-06-26 12:29:43

Technical Summary

The vulnerability stems from the system erroneously trusting the X-Server-Addr HTTP header to determine if a Redfish request is internal: an attacker can spoof this header to match a link-local IP of the BMC (e.g., 169.254.0.17), tricking the system into believing the request originates from an internal source.

Once spoofed, the attacker can authenticate as admin—enabling API actions such as account creation, firmware modifications, reboots, malware execution, or even physical damage to the hardware (via overvoltage or bricking the device).

Recommendations

  1. Apply the patch immediately: Install the firmware update provided by AMI (e.g., version BKC_5.38 or later) for MegaRAC SPx.

  2. Restrict Redfish access: Remove or firewall Redfish/BMC interfaces from general networks—ideally by placing them in a segmented or air-gapped management VLAN.

  3. Monitoring and alerting: Implement IDS/IPS signatures (e.g., FortiGuard IDs for BMC spoofing attempts) and log all Redfish user creations or header anomalies.

  4. Limit admin account duration: Use temporary accounts with automatic expiration and remove unused accounts in advance.

[Callforaction-THREAT-Footer]