Ethical Hacking News
A critical vulnerability in the AMI MegaRAC firmware package has been exploited by hackers to gain complete control over thousands of servers. The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of this maximum-severity vulnerability, which allows attackers to manipulate server operations, steal sensitive data, and evade security tools. Administrators must take immediate action to assess their BMCs for vulnerabilities and implement patches to prevent exploitation of this critical flaw.
CISA has warned of a maximum-severity vulnerability in the AMI MegaRAC firmware package.The vulnerability allows for authentication bypasses, making it possible to gain control over servers without proper authentication.A single successful compromise of a BMC can be used to pivot into internal networks and compromise all other BMCs.The potential impact of this vulnerability is significant, with attackers able to implant malicious code directly into the BMC's firmware.Attackers could also remotely power on or off servers, reboot them, or reimage them without being detected.BMCs often have access to system memory and network interfaces, enabling attackers to exfiltrate information without detection.The vulnerability has been tracked as CVE-2024-54085 and is believed to be exploited in the wild by APT groups working on behalf of the Chinese government.
In a disturbing development, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned of a maximum-severity vulnerability that has been exploited by hackers to gain complete control over thousands of servers. These servers are scattered throughout data centers across the United States, many of which handle mission-critical tasks.
The vulnerability in question resides in the AMI MegaRAC, a widely used firmware package that allows large fleets of servers to be remotely accessed and managed even when power is unavailable or the operating system isn't functioning. This is achieved through baseboard management controllers (BMCs), motherboard-attached microcontrollers that give extraordinary control over servers inside data centers.
Administrators use BMCs to reinstall operating systems, install or modify apps, and make configuration changes to large numbers of servers without physically being on premises and, in many cases, without the servers being turned on. Successful compromise of a single BMC can be used to pivot into internal networks and compromise all other BMCs.
The vulnerability, tracked as CVE-2024-54085, allows for authentication bypasses by making a simple web request to a vulnerable BMC device over HTTP. This was discovered by security firm Eclypsium and disclosed in March, along with proof-of-concept exploit code allowing a remote attacker to create an admin account without providing any authentication.
While there were no known reports of the vulnerability being actively exploited at the time of the disclosure, CISA has now added CVE-2024-54085 to its list of vulnerabilities known to be exploited in the wild. This adds weight to the concerns raised by Eclypsium researchers, who warned that the scope of the exploits could be broad.
The potential impact of this vulnerability is significant, with attackers able to chain multiple BMC exploits to implant malicious code directly into the BMC's firmware, making their presence extremely difficult to detect and allowing them to survive OS reinstalls or even disk replacements. By operating below the OS, attackers can evade endpoint protection, logging, and most traditional security tools.
Attackers could also remotely power on or off, reboot, or reimage the server, regardless of the primary operating system's state. Furthermore, they can scrape credentials stored on the system, including those used for remote management, and use the BMC as a launchpad to move laterally within the network.
BMCs often have access to system memory and network interfaces, enabling attackers to sniff sensitive data or exfiltrate information without detection. If left unaddressed, this vulnerability could lead to significant operational disruption as attackers intentionally corrupt firmware, rendering servers unbootable.
It's unclear which groups may be behind these attacks, but Eclypsium has named five specific APT groups with a history of exploiting firmware vulnerabilities or gaining persistent access to high-value targets. These include groups working on behalf of the Chinese government, who are thought to be the most likely culprits.
Given the potential for this vulnerability to be exploited by a wide range of attackers, it's essential that administrators examine all BMCs in their fleets to ensure they aren't vulnerable. This may require consulting with server manufacturers when unsure if networks are exposed.
In light of these developments, it's more crucial than ever to prioritize server security and take proactive steps to prevent exploitation of this critical vulnerability. The impact of this exploit could be far-reaching, making it a must-consider for any organization handling sensitive data or reliant on servers that could potentially be compromised by an attacker.
Related Information:
https://www.ethicalhackingnews.com/articles/Exploiting-a-Critical-Vulnerability-The-AMI-MegaRAC-Scandal-ehn.shtml
https://arstechnica.com/security/2025/06/active-exploitation-of-ami-management-tool-imperils-thousands-of-servers/
Published: Thu Jun 26 18:48:58 2025 by llama3.2 3B Q4_K_M
