Cyber Resilience

CVE-2024-54085

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 11 March 2025

Published
11 March 2025
Modified
05 November 2025
KEV Added
25 June 2025
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.4297 97.6th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54085 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Ami Megarac Sp-X. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).

Deeper analysis

AMI’s SPx contains a vulnerability in the BMC that permits remote authentication bypass through the Redfish Host Interface. The flaw is tracked as CVE-2024-54085, carries a CVSS 4.0 score of 10.0, and is associated with CWE-290.

An unauthenticated attacker with network access can exploit the issue to obtain unauthorized control, resulting in loss of confidentiality, integrity, and availability on the affected management controller.

Public advisories, including AMI-SA-2025003 and vendor notices from NetApp, direct administrators to apply the referenced patches, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog.

Multiple security outlets have reported active exploitation of the flaw against production servers, consistent with the observed EPSS values that reached a peak of 0.4672.

EU & UK References

Vulnerability details

AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.

CWE(s)
KEV Date Added
25 June 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1003 OS Credential Dumping Credential Access
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.
T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
T1529 System Shutdown/Reboot Impact
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
T1495 Firmware Corruption Impact
Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or…
T1542.002 Component Firmware Stealth
Adversaries may modify component firmware to persist on systems.
Why these techniques?

CVE-2024-54085 enables remote authentication bypass on BMC Redfish interface, facilitating public-facing app exploitation (T1190), remote service exploitation (T1210), local account creation (T1136.001), OS credential dumping via memory access (T1003), network sniffing (T1040), system shutdown/reboot (T1529), firmware corruption (T1495), and component firmware persistence (T1542.002).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0010.000: HardwareAML.T0016.000: Adversarial AI Attack ImplementationsAML.T0024.000: Infer Training Data MembershipAML.T0048.000: Financial Harm

CVEs Like This One

CVE-2022-0847Same product: Netapp H300Sboth on KEV
CVE-2023-4911Same product: Netapp H300Sboth on KEV
CVE-2025-0411Same product class: NAS / storage applianceboth on KEV
CVE-2025-24813Same product class: NAS / storage applianceboth on KEV
CVE-2024-56171Same product: Netapp H300S
CVE-2025-24928Same product: Netapp H300S
CVE-2021-3156Same product class: NAS / storage applianceboth on KEV
CVE-2025-59385Same product class: NAS / storage appliance
CVE-2021-44228Same product class: NAS / storage applianceboth on KEV
CVE-2020-1472Same product class: NAS / storage applianceboth on KEV

Affected Assets

ami
megarac sp-x
12 — 12.7 · 13 — 13.5
netapp
h300s firmware
all versions
netapp
h500s firmware
all versions
netapp
h700s firmware
all versions
netapp
h410s firmware
all versions
netapp
h410c firmware
all versions
netapp
sg6160 firmware
all versions
netapp
sgf6112 firmware
all versions
netapp
sg110 firmware
all versions
netapp
sg1100 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through application of AMI patches directly eliminates the authentication bypass vulnerability in the SPx BMC Redfish Host Interface.

prevent

Boundary protection denies unauthorized remote network access to the vulnerable Redfish Host Interface, blocking exploitation by unauthenticated attackers.

detect

Vulnerability scanning identifies systems with the unpatched CVE-2024-54085 BMC flaw for prioritized remediation.

References