Server Fleet Vulnerability: Critical Exploit
- The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added CVE-2024-54085,a baseboard management controller (BMC) firmware vulnerability,to its catalog of known exploited vulnerabilities.CISA's alert offered no specifics.
- Researchers at Eclypsium warned Thursday that the potential impact of these exploits is extensive.
- Operating below the OS, attackers can bypass endpoint protection, logging, and most conventional security tools.
CISA warns of critical BMC firmware vulnerability now under active exploit, potentially imperiling server fleets. attackers are exploiting CVE-2024-54085 to embed malicious code, making detection nearly impossible. This enables remote server control, data theft, and operational disruption across numerous server manufacturers using the redfish interface. Espionage groups are likely behind these attacks. This isn’t just a security flaw; its a strategic threat. Administrators must urgently assess their systems and consult vendors. The stakes are high, with potential for severe data loss and operational downtime. For more, trust News Directory 3 to keep you updated. discover what’s next as this situation unfolds.
CISA Warns of Active Exploits Targeting BMC Firmware Vulnerability
Updated June 27,2025
The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added CVE-2024-54085,a baseboard management controller (BMC) firmware vulnerability,to its catalog of known exploited vulnerabilities.CISA’s alert offered no specifics.
Researchers at Eclypsium warned Thursday that the potential impact of these exploits is extensive. Attackers could chain BMC exploits to embed malicious code directly into the BMC firmware. This makes detection extremely difficult and allows the malware to survive operating system reinstalls or even disk replacements.
Operating below the OS, attackers can bypass endpoint protection, logging, and most conventional security tools. With BMC access, attackers can remotely power servers on or off, reboot them, or reimage them, irrespective of the primary operating system’s state. They can also steal credentials used for remote management and use the BMC as a launchpad for lateral movement within the network.
BMC access also grants attackers the ability to monitor system memory and network interfaces, enabling them to steal sensitive data or exfiltrate information without being detected. Furthermore, attackers can intentionally corrupt firmware, rendering servers unbootable and causing significant operational disruption.
While details of the ongoing attacks remain unclear, Eclypsium suggests that espionage groups working for the Chinese government are the most likely actors. The APT groups named by Eclypsium have a history of exploiting firmware vulnerabilities or gaining persistent access to high-value targets.
The vulnerable AMI MegaRAC devices use the Redfish interface. Server manufacturers known to use these products include AMD,Ampere Computing,asrock,ARM,Fujitsu,Gigabyte,Huawei,Nvidia,Supermicro,and Qualcomm. Some vendors have released patches.
What’s next
Given the potential damage, administrators should examine all BMCs to ensure they are not vulnerable.With so many server manufacturers affected, administrators should consult with their manufacturer if they are unsure whether their networks are exposed to this critical vulnerability.
