After downloading the latest BMC firmware update (.ima file), you can apply it through the web interface > Maintenance > Firmware Update, select the file, and click 'Start Firmware Update.' It is also recommended that you check the 'Full Flash' option. ASUS has released security updates to address CVE-2024-54085, a maximum severity flaw that could allow attackers to hijack and potentially brick servers. Given the severity of the vulnerability and the ability to perform remote exploitation, it is crucial to perform the firmware update as soon as possible. The flaw impacts American Megatrends International's MegaRAC Baseboard Management Controller (BMC) software, used by over a dozen server hardware vendors, including HPE, ASUS, and ASRock. The CVE-2024-54085 flaw is remotely exploitable, potentially leading to malware infections, firmware modifications, and irreversible physical damage through over-volting. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. "A local or remote attacker can exploit the vulnerability by accessing the remote management interfaces (Redfish) or the internal host to the BMC interface (Redfish)," explained Eclypsium in a related report. For detailed instructions on how to perform MBC firmware updates safely and troubleshooting, check ASUS FAQ here. Today, ASUS announced they have released fixes for CVE-2024-54085 for four motherboard models impacted by the bug. Though AMI released a bulletin along with patches on March 11, 2025, time was needed for impacted OEMs to implement the fixes on their products.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 23 Apr 2025 14:55:12 +0000