The bug identified by Eclypsium specialists makes it possible to bypass authentication remotely through the Redfish Host Interface. Its successful exploitation can result in a loss of confidentiality, integrity, and/or availability.
“A local or remote attacker can exploit the vulnerability by accessing the remote management interfaces (Redfish) or the internal host to the BMC interface (Redfish). Exploitation of this vulnerability allows an attacker to remotely control the compromised server, remotely deploy malware, ransomware, firmware tampering, bricking motherboard components (BMC or potentially BIOS/UEFI), potential server physical damage (over-voltage/bricking), and indefinite reboot loops that a victim cannot stop,” – Eclypsium.
Even though AMI engineers produced patches fixing this security hole by March 11, 2025, it took some time for OEM manufacturers to implement these patches in their products.
This week, Asus released patches fixing the CVE-2024-54085 vulnerability in four affected motherboard models.
Users are advised to install updates and upgrade the BMC firmware to the following versions:
- PRO WS W790E-SAGE SE – version 1.1.57;
- PRO WS W680M-ACE SE – version 1.1.21;
- PRO WS WRX90E-SAGE SE – version 2.1.28; and
- PRO WS WRX80E-SAGE SE WIFI – version 1.34.0.