A critical authentication bypass vulnerability exists in AMI MegaRAC SPx, a software used for remote server management. Successful exploitation could allow an unauthenticated attacker to gain complete administrative control over the affected server, potentially leading to data theft, system takeover, and significant operational disruption. This vulnerability is being actively exploited by threat actors, requiring immediate attention.

This vulnerability allows a remote, unauthenticated attacker to bypass the authentication mechanism of the MegaRAC SPx web interface. The exploit is achieved by sending a specially crafted HTTP request that spoofs a valid session. This tricks the system into granting the attacker administrative privileges without requiring a username or password. An attacker only needs network access to the vulnerable management interface to gain complete, low-level control over the underlying server hardware, including console access, power controls, and virtual media mounting.

This vulnerability is rated as critical with a CVSS score of 9.5, signifying a high risk to the organization. Exploitation allows an unauthenticated attacker to bypass all login controls and gain full administrative access to the server's Baseboard Management Controller (BMC). This level of access could lead to a complete system compromise, including data exfiltration, deployment of ransomware, persistent backdoor installation at the firmware level, and using the compromised server to launch further attacks within the network, resulting in severe operational, financial, and reputational damage.

Immediate Action: Due to the critical nature of this vulnerability and its inclusion in the CISA KEV catalog, immediate action is required. Organizations must adhere to the FEDERAL DEADLINE of July 15, 2025. The primary action is to apply the security patches or mitigations provided by AMI. If patches are not yet available for specific hardware, follow any interim guidance from the vendor. For cloud-based services leveraging this technology, follow applicable BOD 22-01 guidance. If no mitigations can be applied, the affected systems must be disconnected from the network or decommissioned to eliminate the risk.

Proactive Monitoring: Review BMC and web server access logs for anomalous successful logins, particularly from unexpected IP ranges or without corresponding failed login attempts. Monitor network traffic to and from MegaRAC SPx interfaces for unusual HTTP requests or connections from untrusted networks. Set up alerts for unexpected server reboots, firmware changes, or virtual media activity initiated through the BMC.

Compensating Controls: If patching cannot be performed immediately, restrict network access to all MegaRAC SPx management interfaces. Use a dedicated, isolated management network and implement strict firewall rules or Access Control Lists (ACLs) to block all connections except those from authorized administrator workstations. Ensure that no MegaRAC SPx interfaces are exposed directly to the internet.

Public Exploit Available: True

Given the critical severity (CVSS 9.5) and confirmed active exploitation in the wild (CISA KEV), this vulnerability poses an immediate and severe threat. We strongly recommend that all system administrators prioritize the immediate patching of affected AMI MegaRAC SPx instances before the July 15, 2025 deadline. A comprehensive audit should be conducted to identify all internet-facing and internal instances of this software. If patching cannot be completed immediately, implement compensating controls, such as strict network segmentation and access control lists, to isolate the management interfaces from all untrusted networks until remediation is complete.