Login Sign Up

CVE-2024-54085

9.8 CRITICAL CISA KEV
Authentication Bypass

📋 TL;DR

CVE-2024-54085 is a critical authentication bypass vulnerability in AMI's SPx BMC firmware that allows remote attackers to gain unauthorized access through the Redfish Host Interface without credentials. This affects servers using vulnerable AMI BMC firmware versions, potentially compromising thousands of enterprise servers and data centers. Successful exploitation can lead to complete system compromise including bricking servers.

💻 Affected Systems

Products:
  • AMI SPx BMC firmware
  • AMI MegaRAC SP-X
  • Various OEM servers using AMI BMC firmware
Versions: Multiple versions prior to patched releases (specific versions vary by OEM)
Operating Systems: All operating systems running on affected hardware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects servers from multiple vendors using AMI BMC firmware. The Redfish interface is typically enabled by default in modern BMC implementations.

📦 What is this software?

H300s Firmware by Netapp

View all CVEs affecting H300s Firmware →

H410c Firmware by Netapp

View all CVEs affecting H410c Firmware →

H410s Firmware by Netapp

View all CVEs affecting H410s Firmware →

H500s Firmware by Netapp

View all CVEs affecting H500s Firmware →

H700s Firmware by Netapp

View all CVEs affecting H700s Firmware →

Megarac Sp X by Ami

View all CVEs affecting Megarac Sp X →

Megarac Sp X by Ami

View all CVEs affecting Megarac Sp X →

Sg110 Firmware by Netapp

View all CVEs affecting Sg110 Firmware →

Sg1100 Firmware by Netapp

View all CVEs affecting Sg1100 Firmware →

Sg6160 Firmware by Netapp

View all CVEs affecting Sg6160 Firmware →

Sgf6112 Firmware by Netapp

View all CVEs affecting Sgf6112 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to brick servers permanently, deploy ransomware, exfiltrate sensitive data, and establish persistent backdoors in data centers.

🟠

Likely Case

Attackers gain administrative access to BMC, allowing them to install malware, steal credentials, manipulate firmware, and potentially disrupt server operations.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to isolated management networks, though lateral movement within the management plane remains possible.

🌐 Internet-Facing: HIGH - Redfish interfaces exposed to the internet are directly exploitable without authentication, making internet-facing servers immediate targets.
🏢 Internal Only: HIGH - Even internally, attackers who gain network access can exploit this vulnerability to compromise BMC management across the organization.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Actively exploited in the wild according to CISA's Known Exploited Vulnerabilities catalog. Exploitation requires network access to the Redfish interface (typically port 443/HTTPS).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by OEM - check with specific server vendor for patched firmware versions

Vendor Advisory: https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdf

Restart Required: Yes

Instructions:

1. Contact your server vendor for specific patched firmware. 2. Download appropriate firmware update. 3. Apply BMC firmware update following vendor instructions. 4. Reboot the BMC (server may require reboot). 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate BMC management interfaces from untrusted networks and restrict access to authorized IPs only

Use firewall rules to restrict access to BMC IPs/ports (typically 443, 623, 664) to management networks only

Disable Redfish Interface

all

Temporarily disable Redfish interface if not required for operations

Check BMC configuration for Redfish disable option - varies by vendor

🧯 If You Can't Patch

  • Implement strict network access controls to BMC interfaces allowing only from trusted management networks
  • Monitor BMC logs for unauthorized access attempts and implement intrusion detection for BMC management traffic

🔍 How to Verify

Check if Vulnerable:

Check BMC firmware version against vendor advisories. Attempt to access Redfish interface without authentication to test for bypass (use caution).

Check Version:

ipmitool mc info | grep 'Firmware Revision' or check via vendor-specific BMC management tools

Verify Fix Applied:

Verify BMC firmware version matches patched version from vendor. Test that authentication is required for Redfish interface access.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated Redfish API calls in BMC logs
  • Failed authentication attempts followed by successful access
  • Unusual BMC configuration changes

Network Indicators:

  • Unusual traffic to BMC management ports (443, 623) from unauthorized sources
  • Redfish API calls without authentication headers

SIEM Query:

source="bmc_logs" AND (event="authentication_bypass" OR (auth_result="failure" AND subsequent_event="success"))

📊 Metadata

CVE ID: CVE-2024-54085
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-290
EPSS Score: 10.47% exploit probability (93.1th percentile)
CISA KEV: Actively Exploited added Jun 25, 2025
Published: March 11, 2025
Last Updated: November 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54085, you might also want to check these:

CVE-2025-66570 10.0

This vulnerability in cpp-httplib allows attackers to inject HTTP headers (REMOTE_ADDR, REMOTE_PORT,...

Same vulnerability type (CWE-290)
CVE-2022-2310 10.0

CVE-2022-2310 is an authentication bypass vulnerability in Skyhigh Secure Web Gateway (SWG) that all...

Same vulnerability type (CWE-290)
CVE-2020-26276 10.0

This vulnerability allows attackers to modify trusted SAML responses in Fleet osquery manager, enabl...

Same vulnerability type (CWE-290)