CVE-2024-54085 Overview
CVE-2024-54085 is a critical authentication bypass vulnerability in AMI's MegaRAC SPx Baseboard Management Controller (BMC) firmware. The vulnerability exists in the Redfish Host Interface implementation, allowing remote attackers to bypass authentication mechanisms and gain unauthorized access to server management functions. A successful exploitation of this vulnerability may lead to complete loss of confidentiality, integrity, and availability of affected systems.
The BMC (Baseboard Management Controller) is a specialized microcontroller embedded in server motherboards that provides out-of-band management capabilities. It operates independently of the main system processor and operating system, allowing administrators to remotely monitor, manage, and control servers even when they are powered off. The Redfish API is a modern RESTful interface standard for BMC management, and this vulnerability specifically affects how authentication is handled through this interface.
Critical Impact
Remote attackers can bypass BMC authentication to gain full server control, potentially bricking servers, installing persistent malware, or exfiltrating sensitive data. This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog.
Affected Products
- AMI MegaRAC SP-X firmware
- NetApp H300S, H500S, H700S storage systems and firmware
- NetApp H410S, H410C systems and firmware
- NetApp SG6160, SGF6112, SG110, SG1100 storage appliances and firmware
Discovery Timeline
- 2025-03-11 - CVE-2024-54085 published to NVD
- 2025-11-05 - Last updated in NVD database
Technical Details for CVE-2024-54085
Vulnerability Analysis
This vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing), indicating that the BMC's Redfish Host Interface fails to properly verify the identity of remote entities attempting to authenticate. The flaw allows attackers to circumvent the authentication process entirely, gaining access to privileged BMC functions without providing valid credentials.
The exploitation potential of this vulnerability is significant due to the nature of BMC access. Once an attacker bypasses authentication, they gain control over critical server management functions including power management, firmware updates, sensor monitoring, and remote console access. Because the BMC operates at a lower level than the operating system, compromise at this level can persist through OS reinstallation and can be extremely difficult to detect or remediate.
The vulnerability affects the Redfish Host Interface, which is designed to allow the host operating system to communicate with the BMC through an in-band interface. The authentication bypass allows remote network-based exploitation without requiring user interaction or prior privileges on the target system.
Root Cause
The root cause of CVE-2024-54085 lies in improper authentication validation within the Redfish Host Interface implementation in AMI's MegaRAC SPx firmware. The authentication mechanism fails to adequately verify the legitimacy of incoming requests, allowing attackers to spoof or bypass credential verification entirely.
The Redfish Host Interface is intended to provide a secure communication channel between the host system and BMC, but the flawed implementation allows unauthenticated requests to be processed as if they originated from legitimate, authenticated sources. This fundamental authentication flaw enables complete bypass of access controls.
Attack Vector
The attack vector for CVE-2024-54085 is network-based, requiring no user interaction and no prior privileges on the target system. Attackers can remotely target exposed BMC interfaces over the network, making this vulnerability particularly dangerous in environments where BMC management interfaces are accessible from untrusted networks.
Once exploitation is successful, attackers can:
- Execute arbitrary commands on the BMC
- Modify server firmware, potentially installing persistent backdoors
- Access sensitive configuration data and credentials
- Control server power states, including remotely bricking systems
- Intercept or manipulate server boot processes
- Access virtual console and keyboard/video/mouse (KVM) functionality
The vulnerability's network-accessible nature combined with the sensitive functions controlled by the BMC makes this an extremely attractive target for threat actors seeking persistent access to enterprise infrastructure.
Detection Methods for CVE-2024-54085
Indicators of Compromise
- Unexpected or unauthorized logins to BMC management interfaces, particularly via Redfish API
- Anomalous network traffic patterns to BMC management ports (typically TCP 443 for Redfish)
- Unauthorized firmware updates or configuration changes logged by the BMC
- Unexpected power cycles or server state changes not initiated by administrators
Detection Strategies
- Monitor BMC event logs for authentication anomalies, failed login attempts, or unusual access patterns
- Implement network monitoring and alerting for connections to BMC management interfaces from unauthorized IP addresses
- Deploy intrusion detection system (IDS) rules to identify suspicious Redfish API requests
- Conduct periodic firmware integrity verification to detect unauthorized modifications
- Correlate BMC access logs with known administrative activities to identify unauthorized access
Monitoring Recommendations
- Segment BMC management networks and monitor all traffic crossing network boundaries
- Implement centralized logging for all BMC events and forward to SIEM for analysis
- Establish baselines for normal BMC management activity and alert on deviations
- Enable detailed audit logging on BMC interfaces where supported
How to Mitigate CVE-2024-54085
Immediate Actions Required
- Review and apply security patches from AMI and affected hardware vendors immediately
- Isolate BMC management interfaces from untrusted networks, including the internet
- Audit BMC access logs for signs of unauthorized access or suspicious activity
- Implement strict network access controls limiting BMC management access to authorized administrative hosts only
- Verify firmware integrity on affected systems to ensure no unauthorized modifications have been made
Patch Information
AMI has released security patches to address CVE-2024-54085 as documented in AMI Security Advisory 2025003. Organizations using affected hardware should coordinate with their hardware vendors for appropriate firmware updates. NetApp has also published guidance for affected systems in NetApp Security Advisory NTAP-20250328-0003.
Given that this vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and is actively being exploited in the wild, patching should be treated as an urgent priority. For additional context on the active exploitation, refer to the CISA KEV Catalog entry.
Workarounds
- Place BMC management interfaces on isolated, dedicated management VLANs with strict access controls
- Implement firewall rules to restrict Redfish API access to only authorized management hosts
- Disable the Redfish Host Interface if not required for operations until patches can be applied
- Use VPN or jump hosts to access BMC interfaces, avoiding direct exposure to broader networks
- Enable and monitor authentication logging to detect exploitation attempts
# Example: Restrict BMC access using iptables (adjust ports and IPs as needed)
# Block all incoming traffic to BMC Redfish port except from management subnet
iptables -A INPUT -p tcp --dport 443 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
# Alternative: Use firewalld to create a restricted zone for BMC access
firewall-cmd --permanent --new-zone=bmc-mgmt
firewall-cmd --permanent --zone=bmc-mgmt --add-source=10.0.1.0/24
firewall-cmd --permanent --zone=bmc-mgmt --add-port=443/tcp
firewall-cmd --reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
