What happened

CISA added CVE-2024-54085 to the Known Exploited Vulnerabilities catalog, confirming in-the-wild exploitation of an AMI MegaRAC SPx authentication bypass by spoofing in the Redfish Host Interface CISA KEV. The KEV entry designates the product as AMI MegaRAC SPx and names the flaw “Authentication Bypass by Spoofing,” mapping it to CWE-290 CISA KEV. The National Vulnerability Database entry aligns on product and weakness classification for CVE-2024-54085 NVD.

CISA’s required action is to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable CISA KEV. The KEV listing also provides a remediation due date set by CISA for federal agencies CISA KEV. The vulnerability record is also tracked by MITRE under CVE-2024-54085 for reference and coordination MITRE CVE.

Why it matters

The issue is an authentication bypass by spoofing within the Redfish Host Interface path for AMI MegaRAC SPx, enabling access without proper identity verification NVD. CISA states successful exploitation may result in a loss of confidentiality, integrity, and/or availability, which elevates the impact to mission-critical operations where this platform is deployed CISA KEV. Because the weakness is spoofing-based (CWE-290), trust-based controls around identity assertions become suspect until fully remediated NVD.

CISA further notes the vulnerability could affect an open-source component, third‑party library, protocol, or proprietary implementation that could be used by different products, expanding potential blast radius beyond a single SKU if shared elements are present CISA KEV. The listing in KEV means confirmed exploitation is occurring now, so defenders should treat exposure as active risk rather than hypothetical CISA KEV.

Technical detail

CVE-2024-54085 is categorized as Authentication Bypass by Spoofing and mapped to CWE-290, indicating an attacker can impersonate a trusted entity to bypass authentication logic NVD. The vulnerable path is the Redfish Host Interface, which implies the flaw manifests during host-interface transactions rather than typical credential flows CISA KEV. MITRE’s CVE record confirms the identity of the issue and serves as the authoritative ID for tracking and cross-vendor coordination MITRE CVE.

Impacts cited by CISA include potential loss of confidentiality, integrity, and availability, consistent with unauthorized control or data access achievable after bypass CISA KEV. Because this is a spoofing class defect, the attack surface is identity validation within the host-interface channel rather than a pure credential leak or brute force pathway NVD. The product scope called out by both CISA and NVD is AMI MegaRAC SPx, which anchors the vulnerability to that platform NVD.

CISA flags that the vulnerable behavior may reside in an open-source component, third-party library, protocol, or proprietary implementation, so adjacent products that embed the same logic could be at risk depending on integration specifics CISA KEV. The KEV entry also lists “ransomware campaign use: unknown,” which means CISA has not attributed this vulnerability to ransomware operations yet, though exploitation is confirmed CISA KEV.

Defense

Immediate priority: apply vendor mitigations and updates per CISA’s required action for CVE-2024-54085; if mitigations are not available, discontinue use of the affected product CISA KEV. Federal agencies must meet the KEV remediation due date, and BOD 22‑01 guidance applies for cloud services where relevant CISA KEV.

Containment and exposure management should focus on the Redfish Host Interface path cited in the vulnerability; reduce exposure, authenticate strictly, and isolate management planes where feasible while fixes are validated NVD. Monitor for anomalous or unexpected host-interface requests associated with MegaRAC SPx assets as part of targeted detection for this CVE MITRE CVE. Prioritize incident response playbooks for identity-spoofing scenarios on systems running AMI MegaRAC SPx given the active exploitation status CISA KEV.

For governance and risk, track this CVE distinctly because of its spoofing nature (CWE‑290), which often evades coarse-grained auth checks if trust signals are not tightly bound to authenticated principals NVD. Maintain a watch on the NVD and MITRE entries for updates to references and severity context as vendors publish remediations NVD, MITRE CVE.

Lyrie Verdict

This is a management-plane authentication bypass by spoofing in AMI MegaRAC SPx’s Redfish Host Interface, confirmed exploited and listed in KEV; defenders must assume active probing now CISA KEV. Lyrie auto-ingests KEV changes and immediately elevates watch policies for CVE-2024-54085, prioritizing telemetry around Redfish Host Interface request flows tied to SPx assets NVD. Our anti-rogue-AI posture focuses on machine-speed discrimination of spoofed identity assertions versus legitimate host-interface transactions, compressing dwell time by autonomously flagging bypass-like sequences as soon as they manifest MITRE CVE. In short: we don’t wait on human reaction time; we pre-bias detection toward this CVE’s spoofing vector and drive immediate operator action the moment suspicious Redfish Host Interface traffic appears CISA KEV.