HPE and Lenovo have already released patched firmware versions for their servers, while Asus and Asrock Rack have yet to provide updates.

AMI's BMC firmware is utilized in devices from various manufacturers, impacting millions of devices globally.

The vulnerability primarily affects the Redfish management interface, enabling attackers to remotely control machines, deploy malware, and potentially cause physical damage to hardware components.

The vulnerability has been classified as one of maximum severity, indicating the critical nature of the threat it poses.

A critical vulnerability in AMI's MegaRAC BMC software, tracked as CVE-2024-54085, allows attackers to bypass authentication and potentially take control of affected servers.

This vulnerability, which has a maximum CVSS score of 10.0, affects the remote management firmware used in servers from major manufacturers including Asus, HPE, and Lenovo.

AMI released patches for this vulnerability on March 11, 2025, and users are urged to update their systems according to OEM vendor recommendations.

Security experts from Eclypsium discovered the flaw and highlighted its severity, prompting AMI to issue security advisories and patches.

Patching these vulnerabilities may require device downtime, as manufacturers must integrate and distribute the fixes to their customers.

Many server motherboards default to enabling remote management with insecure credentials, which increases vulnerability to attacks.

CVE-2024-54085 is part of a series of vulnerabilities affecting AMI MegaRAC BMCs, collectively referred to as BMC&C, which includes multiple other critical flaws.

Exploitation of this flaw could lead to significant disruptions, including servers entering indefinite reboot loops, resulting in unrecoverable downtime.