ASUS has issued security updates to fix a severe vulnerability, CVE-2024-54085, that could allow attackers to hijack servers or even cause permanent damage.
This flaw affects MegaRAC Baseboard Management Controller (BMC) software from American Megatrends International (AMI), which is used by several server vendors, including ASUS, HPE, and ASRock.
The vulnerability can be remotely exploited, enabling attackers to deploy malware, tamper with firmware, or potentially damage server hardware by over-volting. In some cases, the flaw can lead to a server becoming unresponsive due to continuous reboot loops.
The issue can be triggered by gaining access to the server’s remote management interfaces, such as Redfish, or to the BMC’s internal host interface. If exploited, it could result in a variety of issues, including physical damage to motherboard components.
ASUS has released firmware updates for four of its motherboard models affected by the flaw. Users are encouraged to update to the latest BMC firmware versions to secure their systems:
- PRO WS W790E-SAGE SE – version 1.1.57
- PRO WS W680M-ACE SE – version 1.1.21
- PRO WS WRX90E-SAGE SE – version 2.1.28
- Pro WS WRX80E-SAGE SE WIFI – version 1.34.0
To apply the update, users should download the firmware and use the web interface to perform the update under the “Maintenance” section. Given the vulnerability’s potential impact, users should apply these patches as soon as possible to protect their servers. Detailed update instructions are available on ASUS’s official FAQ page.
