10 out of 10: Hackers Can Now Create Admin Accounts Without a Password — Even on Powered-Off Servers
Administrators are urged to urgently inspect BMCs in their data centers.
Hackers have begun actively exploiting a critical vulnerability that allows them to gain full control over thousands of servers, including those performing key roles in data centers. This warning comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The issue was discovered in the AMI MegaRAC firmware, which is used for remote management of large server fleets. This firmware is embedded in microcontrollers on motherboards, known as Baseboard Management Controllers (BMCs). These allow administrators to manage servers even when the OS is down or the machine is powered off.
Through BMCs, administrators can reinstall operating systems, change configurations, and launch applications without any physical access to the server. Compromising even one controller can give attackers access to the entire internal network and all connected devices.
The vulnerability, tracked as CVE-2024-54085, has received the maximum severity rating of 10 out of 10. The flaw enables an attacker to bypass authentication simply by sending a crafted HTTP request to a vulnerable device. The issue was discovered by cybersecurity firm Eclypsium, which reported it back in March — along with a working exploit that lets attackers create an administrator account without a password. At the time, no real-world attacks had been observed.
However, on June 26, the vulnerability was added to CISA's list of actively exploited flaws, indicating that real-world attacks have begun. While CISA hasn’t released further details, Eclypsium warns the scale could be significant.
According to their analysis, attackers can implant malware directly into the BMC firmware using chained vulnerabilities. This makes the attack almost invisible, and the malware can survive OS reinstalls and disk replacements. Such intrusions bypass antivirus and monitoring systems and allow remote powering on, off, or rebooting of servers, regardless of their current operating state.
Other threats include credential theft, using the server as an entry point into the broader network, or even firmware destruction to physically damage hardware. This makes the vulnerability especially dangerous for corporate and cloud infrastructures.
Researchers suspect the attacks may be linked to Chinese cyber-espionage groups, known for exploiting firmware-level vulnerabilities. The list of potentially affected hardware vendors includes AMD, Ampere, ASRock, ARM, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm. Some of them have already issued patches — but many have not.
Experts strongly advise administrators to inspect all BMC-enabled devices in their infrastructure. Given the number of vendors involved, the best approach is to contact the manufacturer directly if there is any uncertainty regarding exposure.
