AMI MegaRAC BMC flaw exposes servers to RCE
Out-of-band management is no longer the quiet back door for administrators; it is becoming the front door for attackers.
TL;DR
CIS warned that an AMI MegaRAC BMC firmware vulnerability can let unauthenticated attackers reach the Redfish interface, remotely control servers, deploy ransomware, tamper with firmware, or brick components. The advisory refers to CVE-2025-54085, while NVD and the cited AMI materials track CVE-2024-54085. Defense contractors, primes, state CISOs, and municipal IT teams running affected AMI, HPE Cray XD670, or Asus RS720A-E11-RS24U systems should treat patch verification and BMC exposure review as immediate work.
CIS rates the AMI MegaRAC issue high for federal and large enterprise environments because the target is not another application server sitting behind normal endpoint tooling. It is the baseboard management controller, the lights-out management plane that exists so administrators can control a box when the operating system is dead. According to the advisory, exploitation can allow remote server control, ransomware deployment, firmware tampering, motherboard component bricking, possible BIOS or UEFI damage, and reboot loops a victim cannot stop.
The technical path is the part practitioners should not skim. The advisory says AMI SPx contains a BMC vulnerability that can be exploited through the Redfish Host Interface without authentication. NVD describes CVE-2024-54085 as a remote authentication bypass through the Redfish Host Interface with a CVSS 3.1 score of 9.8, while the CIS advisory text also refers to CVE-2025-54085 in its proof-of-concept note. That mismatch is not cosmetic for compliance teams trying to prove remediation. Ticket both identifiers until the OEM advisory, scanner plugin, and asset evidence agree.
Affected products listed by CIS include AMI UEFI versions before BKC_5.38, AptioV versions before BKC_5.38, HPE Cray XD670 1.09 physical and Qemu, 1.13 physical and Qemu, 1.17 Qemu, and Asus RS720A-E11-RS24U 1.2.27 Qemu. CIS says proof-of-concept exploit code has been posted by Eclypsium, but the advisory does not specify whether exploitation has moved beyond that, nor does it give a complete patch timeline from AMI, HPE, or Asus.
For defense-industrial-base operators, primes, state CISOs, and municipal IT, the Monday work is inventory first, patch second, exposure control immediately. Find MegaRAC and affected OEM systems, confirm whether Redfish and other BMC management paths are reachable from anything broader than the management network, apply vendor updates after testing, and preserve evidence that maps the corrected firmware version to the CVE record. This is the second major out-of-band management remote-code-execution issue in 18 months, which is a good way of saying the old assumption that BMC risk is niche is now mostly wishful thinking.
Published ·Deep Fathom