CVE-2024-54085

CriticalCISA KEVActive Exploitation

Published: 11 March 2025

Published

11 March 2025

Modified

05 November 2025

KEV Added

25 June 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.4297 97.5th percentile

Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54085 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Ami Megarac Sp-X. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 7 other techniques. AI-specific risk: MITRE ATLAS Hardware (AML.T0010.000) plus 3 more. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through application of AMI patches directly eliminates the authentication bypass vulnerability in the SPx BMC Redfish Host Interface.

SC-7 Boundary Protection good match

prevent

Boundary protection denies unauthorized remote network access to the vulnerable Redfish Host Interface, blocking exploitation by unauthenticated attackers.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning identifies systems with the unpatched CVE-2024-54085 BMC flaw for prioritized remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1136.001 Local Account Persistence

Adversaries may create a local account to maintain access to victim systems.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1003 OS Credential Dumping Credential Access

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.

attack.mitre.org →

T1040 Network Sniffing Credential Access

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.

attack.mitre.org →

T1529 System Shutdown/Reboot Impact

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

attack.mitre.org →

T1495 Firmware Corruption Impact

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or…

attack.mitre.org →

T1542.002 Component Firmware Stealth

Adversaries may modify component firmware to persist on systems.

attack.mitre.org →

Why these techniques?

CVE-2024-54085 enables remote authentication bypass on BMC Redfish interface, facilitating public-facing app exploitation (T1190), remote service exploitation (T1210), local account creation (T1136.001), OS credential dumping via memory access (T1003), network sniffing (T1040), system shutdown/reboot (T1529), firmware corruption (T1495), and component firmware persistence (T1542.002).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

NVD Description

AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.

Deeper analysisAI

CVE-2024-54085 is a vulnerability in AMI's SPx service processor, specifically within the Baseboard Management Controller (BMC), that enables an attacker to bypass authentication remotely via the Redfish Host Interface. Published on 2025-03-11, it is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-290 (Authentication Bypass). Successful exploitation can lead to loss of confidentiality, integrity, and/or availability of the affected system.

The vulnerability can be exploited by any unauthenticated remote attacker over the network with low complexity and no user interaction required. Upon bypassing authentication, an attacker gains unauthorized access to the BMC, potentially achieving high-impact effects including data exposure, modification of system configurations, and disruption of services.

Advisories from AMI (AMI-SA-2025003) and affected vendors like NetApp (ntap-20250328-0003) provide details on mitigation, including available patches and remediation steps for the SPx BMC component.

Multiple reports highlight active real-world exploitation of CVE-2024-54085, including its addition to CISA's Known Exploited Vulnerabilities catalog. Coverage from Ars Technica, Eclypsium, and BleepingComputer notes that it imperils thousands of servers, with attackers able to brick systems via the AMI MegaRAC management tool.

Details

CWE(s): CWE-290
KEV Date Added: 25 June 2025

Affected Products

ami

megarac sp-x

12 — 12.7 · 13 — 13.5

netapp

h300s firmware

all versions

netapp

h500s firmware

all versions

netapp

h700s firmware

all versions

netapp

h410s firmware

all versions

netapp

h410c firmware

all versions

netapp

sg6160 firmware

all versions

netapp

sgf6112 firmware

all versions

netapp

sg110 firmware

all versions

netapp

sg1100 firmware

all versions

CVEs Like This One

CVE-2025-0411Same product class: NAS / storage applianceboth on KEV

CVE-2025-24813Same product class: NAS / storage applianceboth on KEV

CVE-2024-56171Same product: Netapp H300S

CVE-2025-24928Same product: Netapp H300S

CVE-2025-59385Same product class: NAS / storage appliance

CVE-2021-44228Same product class: NAS / storage applianceboth on KEV

CVE-2025-26512Same product class: NAS / storage appliance

CVE-2025-1736Same product class: NAS / storage appliance

CVE-2025-27423Same product class: NAS / storage appliance

CVE-2025-1861Same product class: NAS / storage appliance

References

https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdf
Vendor Advisory · biossecurity@ami.com
https://arstechnica.com/security/2025/06/active-exploitation-of-ami-management-tool-imperils-thousands-of-servers/
Press/Media Coverage, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://eclypsium.com/blog/bmc-vulnerability-cve-2024-05485-cisa-known-exploited-vulnerabilities/
Press/Media Coverage, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://security.netapp.com/advisory/ntap-20250328-0003/
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.bleepingcomputer.com/news/security/cisa-ami-megarac-bug-that-lets-hackers-brick-servers-now-actively-exploited/
Press/Media Coverage, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.networkworld.com/article/4013368/ami-megarac-authentication-bypass-flaw-is-being-exploitated-cisa-warns.html
Press/Media Coverage, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://nvd.nist.gov/vuln/detail/CVE-2024-54085
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://security.netapp.com/advisory/ntap-20250328-0003/
Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-54085
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0