BMC Security Wake-Up Call: CVE-2024-54085 Becomes the First BMC Vulnerability on CISA’s Most Critical Exploited List

Imagine waking up to the realization that your organization’s servers—possibly the very backbone of your digital business—are defenseless against a remote hacker, thanks to a flaw in the “invisible” firmware running behind the scenes. For thousands of IT teams, this is no hypothetical. In June 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-54085, a vulnerability in AMI’s MegaRAC Baseboard Management Controller (BMC) firmware, to its Known Exploited Vulnerabilities (KEV) catalog. This marks the first time any BMC vulnerability has earned a spot on CISA’s most critical exploited list—a signal that the stakes for infrastructure security are rising fast.

So, why is this news sending shockwaves through the cybersecurity world, and what does it mean for your organization? Let’s break down what makes CVE-2024-54085 so historic, so dangerous, and what you must do next to protect your infrastructure.

What Is CVE-2024-54085? The BMC Vulnerability Redefining “Critical”

Let’s start with the basics: CVE-2024-54085 is a remotely exploitable authentication bypass bug in AMI’s MegaRAC BMC firmware. That’s a mouthful, so let me explain.

Baseboard Management Controllers (BMCs) are tiny computers embedded on server motherboards. They help IT teams manage, monitor, and troubleshoot servers remotely—even when the main operating system is powered off. Because of this, BMCs have almost god-like access to the server hardware: rebooting, re-imaging, or even “bricking” machines at the click of a mouse.

Why Should You Care About a BMC Flaw?

Here’s the problem: if an attacker gains control of the BMC, they’re not just in your server—they’re underneath it. They can tamper with firmware, evade detection, and even cause physical damage.

CVE-2024-54085 specifically allows:

Remote, unauthenticated attackers to bypass authentication and gain full BMC access
No user interaction required—meaning it can be launched without anyone clicking a link or opening an attachment
Complete server takeover, including deploying malware, tampering with firmware, or forcing endless reboot cycles

And since AMI’s MegaRAC is used by major vendors like HPE, ASUS, and ASRock, the reach of this vulnerability is global—from enterprise data centers to cutting-edge AI cloud infrastructure.

Why CVE-2024-54085 Made History: The First BMC Flaw in CISA’s KEV Catalog

Security researchers have warned about BMC weaknesses for years. Yet, CVE-2024-54085 is the first ever BMC vulnerability to be publicly acknowledged by CISA as actively exploited in the wild. That’s a huge deal.

Here’s why this matters:

CISA’s Known Exploited Vulnerabilities catalog is reserved for flaws with real-world attacks—those actively abused by threat actors. Placement here means federal agencies must patch, and every security leader should take notice.
BMCs run outside the operating system with elevated, unrestricted privileges. If attackers compromise the BMC, they can hide from traditional endpoint security tools.
This signals a larger trend: attackers are shifting focus to low-level infrastructure, targeting devices and firmware that often fly under the radar (think: routers, switches, and now, server management chips).

Bottom line: If you’re responsible for critical infrastructure, this is your cybersecurity wake-up call.

How Does CVE-2024-54085 Work? Breaking Down the Attack Chain

Let’s demystify how this vulnerability works—and why it’s so dangerous.

The Technical Details (Minus the Jargon)

The flaw was discovered by researchers at Eclypsium, who were investigating patches for a previous bug (CVE-2023-34329).
They found that the authentication process in MegaRAC’s BMC firmware could be easily bypassed—essentially letting anyone with network access “walk right in.”
No encryption: The affected firmware doesn’t encrypt authentication tokens, making exploitation shockingly straightforward.
Attackers don’t need special credentials or insider access. They simply connect to the exposed BMC interface and take control.

Think of it like leaving the keys to your data center in an unlocked mailbox—anyone who knows where to look can let themselves in.

Who Is Affected? The Scope of the Threat

This isn’t a niche problem. AMI’s MegaRAC BMC firmware is embedded in servers from over a dozen manufacturers. If you’re running servers in a data center, on-premises, or in the cloud, there’s a good chance you’re affected.

Impacted Environments:

Enterprise Data Centers: HPE, ASUS, ASRock, and other major vendors use MegaRAC firmware in their server lines.
Cloud Service Providers: Many large-scale clouds rely on MegaRAC-based BMCs to manage hardware at scale.
AI Data Centers: In environments orchestrating thousands of GPU workloads, a single compromised BMC could trigger widespread outages, malware outbreaks, or even physical server damage.

Pro Tip: BMCs often have their own management network. If that’s exposed (or poorly segmented), attackers could move laterally—compromising one BMC and then leapfrogging to others.

Why Attackers Love BMCs (and Why You Should Worry)

Here’s where things get even more concerning. Attackers are evolving. Instead of just targeting operating systems and applications, they’re going deeper—to the firmware layer.

What Makes BMCs Such Attractive Targets?

Unrestricted access: BMCs can control power, update firmware, and even wipe servers clean.
Stealth: Attacks at this level are hard to detect with traditional security tools. They persist even after reformatting the OS.
Supply Chain Reach: A vulnerability in a widely deployed firmware (like MegaRAC) can cascade across multiple manufacturers and countless organizations.

Recent trends show attackers increasingly targeting routers, edge devices, and now, server management chips like BMCs. As Eclypsium notes, “This is part of a broader shift to attacking the foundational building blocks of modern infrastructure.” (Read more on this trend from CISA)

Real-World Risks: From Malware to Bricked Servers

Let’s get concrete. What could a successful attack on CVE-2024-54085 look like?

Potential Outcomes:

Malware deployment: Attackers could install persistent firmware malware, invisible to the OS.
Firmware tampering: Subtle modifications could allow long-term espionage or sabotage.
Physical damage: By manipulating power controls or firmware settings, attackers could damage hardware.
Indefinite reboot loops: Servers could be forced into a state where they constantly restart, taking critical services offline.
Lateral movement: Once inside one BMC, attackers could discover and attack others, potentially impacting thousands of servers.

AI and cloud environments are especially vulnerable: Imagine an attacker forcing all GPU servers to reboot, disrupting machine learning workloads and causing cascading failures across the data center.

What You Must Do: Essential Steps for Mitigating CVE-2024-54085

Now for the most important part: how do you protect your organization? Let’s break down the recommended actions into a practical checklist.

1. Inventory Your BMC Deployments

Catalog every server model and identify which use AMI MegaRAC BMC firmware.
Don’t forget virtualized or cloud-hosted environments—check with providers if unsure.

2. Identify Vulnerable Firmware Versions

Use vendor advisories and Eclypsium’s guidance to pinpoint versions affected by CVE-2024-54085.
If you have a software inventory or vulnerability management tool, now’s the time to leverage it.

3. Patch Immediately—Don’t Wait

Federal agencies: Per Binding Operational Directive 22-01, patch affected systems by July 16, 2025.
All organizations: Prioritize patching based on criticality and exposure. Apply vendor-recommended updates as soon as possible.

4. Harden BMC Security Practices

Isolate BMC interfaces from untrusted networks. Use dedicated management VLANs or physically separate networks.
Audit access controls: Ensure only authorized personnel and secure credentials can access BMCs.
Review update practices: Are BMCs automatically updated? Do you have a process for regular firmware review?

5. Monitor for Malicious Activity

Deploy network detection rules (like Snort or YARA) for CVE-2024-54085, as published by ASEC.
Watch for unusual BMC network traffic or signs of firmware changes.

6. If You Can’t Patch, Consider Mitigations

Follow vendor mitigations or, if unavailable, discontinue use of the affected product.
For cloud services, ensure compliance with BOD 22-01 guidance and coordinate with your provider.

Empathetic Note: I know patching firmware can feel daunting, especially in large or complex environments. But delaying increases the risk. Treat BMC security with the same urgency as operating system or application vulnerabilities—if not more so!

Going Deeper: Supply Chain Risks and the Importance of Firmware Security

CVE-2024-54085 is more than “just another patch.” It’s a wake-up call for supply chain and firmware security.

Why? Because:

BMCs are everywhere: AMI’s firmware stack is a foundational component used by dozens of server vendors. A single flaw can ripple across thousands of organizations.
Firmware runs below the OS: Attacks can persist through reboots, OS reinstalls, or even hardware swaps.
Open-source, third-party, and proprietary code: Vulnerabilities may lurk in shared libraries or protocols, exposing unexpected products.

Supply chain attacks aren’t just theoretical—just look at SolarWinds or NotPetya. Firmware is rapidly becoming the new security frontier.

Takeaway: The organizations that succeed in the coming years will be those that treat their firmware—and their supply chain—as first-class security priorities.

Future Threats: The Evolution of BMC Exploits

The addition of a BMC vulnerability to CISA’s KEV catalog isn’t just historic—it’s a sign of what’s coming.

What Security Leaders Should Watch For:

More BMC vulnerabilities: As attackers realize the power of firmware-level attacks, we can expect more bugs to be discovered and exploited.
Greater attacker sophistication: Threat actors (from ransomware crews to APTs) will increasingly target the lowest layers of infrastructure.
Regulatory scrutiny: Expect requirements for firmware patch management, supply chain transparency, and incident reporting to grow.

If your organization manages large-scale infrastructure, it’s time to elevate BMC and firmware security from “nice to have” to “mission critical.”

Frequently Asked Questions (FAQ)

Q: What is CVE-2024-54085 and why is it significant?
A: CVE-2024-54085 is a critical authentication bypass flaw in AMI’s MegaRAC BMC firmware. It’s significant because it allows remote attackers to take control of servers at the hardware level—without credentials or user interaction. It’s the first BMC vulnerability ever added to CISA’s Known Exploited Vulnerabilities catalog.

Q: Which vendors or products are affected by this vulnerability?
A: Servers from HPE, ASUS, ASRock, and over a dozen other manufacturers using AMI’s MegaRAC BMC firmware are affected. The vulnerability impacts both enterprise and cloud environments.

Q: What should organizations do to protect themselves?
A: Immediately inventory your infrastructure, identify affected firmware, apply patches per vendor guidance, isolate BMC interfaces, audit access controls, and monitor for suspicious activity.

Q: Is this vulnerability being exploited in the wild?
A: Yes. CISA confirms active exploitation of CVE-2024-54085, making rapid remediation essential.

Q: Why are BMC vulnerabilities so dangerous?
A: BMCs have elevated privileges outside the operating system, allowing attackers to persist undetected, tamper with firmware, or disrupt physical hardware.

Q: Where can I find additional resources or technical detection rules?
A: Refer to Eclypsium’s advisory, CISA’s KEV catalog, and ASEC’s detection rules for Snort and YARA.

Final Thoughts: Don’t Ignore the Firmware Layer—Act Now

CVE-2024-54085 isn’t just “the latest patch Tuesday problem.” It’s the first BMC vulnerability to enter CISA’s most critical catalog—a warning shot to every organization relying on modern server infrastructure. Attackers are getting smarter, going lower, and targeting supply chains and firmware. Your next security incident could start where you least expect it.

Here’s the bottom line:
– Inventory your BMCs. – Patch affected firmware immediately. – Segment and audit access. – Treat firmware security as vital, not optional.

This is your chance to get ahead of the curve—and protect the invisible foundation your business relies on. Want more insights like this? Subscribe to our blog for the latest in threat intelligence, infrastructure security, and actionable advice.

Stay vigilant. Stay secure. And remember, what’s “under the hood” often matters most.

External References: – CISA Known Exploited Vulnerabilities Catalog – Eclypsium Research on CVE-2024-54085 – ASEC Detection Rules – Binding Operational Directive 22-01 – Secure by Design Guidance

If you found this article helpful, don’t miss our regular threat intelligence briefs and deep dives—subscribe today and stay a step ahead of emerging threats!

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

BMC Security Wake-Up Call: CVE-2024-54085 Becomes the First BMC Vulnerability on CISA’s Most Critical Exploited List