10

CVE-2024-54085

Warnung
Medienbericht

Redfish Authentication Bypass

AMI’s SPx contains
a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation
of this vulnerability may lead to a loss of confidentiality, integrity, and/or
availability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AmiMegarac Sp-x Version >= 12 < 12.7
AmiMegarac Sp-x Version >= 13 < 13.5
NetappH300s Firmware Version-
   NetappH300s Version-
NetappH500s Firmware Version-
   NetappH500s Version-
NetappH700s Firmware Version-
   NetappH700s Version-
NetappH410s Firmware Version-
   NetappH410s Version-
NetappH410c Firmware Version-
   NetappH410c Version-
NetappSg6160 Firmware Version-
   NetappSg6160 Version-
NetappSgf6112 Firmware Version-
   NetappSgf6112 Version-
NetappSg110 Firmware Version-
   NetappSg110 Version-
NetappSg1100 Firmware Version-
   NetappSg1100 Version-
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login

25.06.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability

Schwachstelle

AMI MegaRAC SPx contains an authentication bypass by spoofing vulnerability in the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 61.2% 0.99
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
biossecurity@ami.com 10 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
09.08.2025 11:36
https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdf
Vendor Advisory
https://security.netapp.com/advisory/ntap-20250328-0003/
Third Party Advisory
https://nvd.nist.gov/vuln/detail/CVE-2024-54085
US Government Resource
https://arstechnica.com/security/2025/06/active-exploitation-of-ami-management-tool-imperils-thousands-of-servers/
Third Party Advisory
Press/Media Coverage
https://eclypsium.com/blog/bmc-vulnerability-cve-2024-05485-cisa-known-exploited-vulnerabilities/
Third Party Advisory
Press/Media Coverage
https://www.bleepingcomputer.com/news/security/cisa-ami-megarac-bug-that-lets-hackers-brick-servers-now-actively-exploited/
Third Party Advisory
Press/Media Coverage
https://www.networkworld.com/article/4013368/ami-megarac-authentication-bypass-flaw-is-being-exploitated-cisa-warns.html
Third Party Advisory
Press/Media Coverage
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-54085
US Government Resource