April 23, 2025 By Bill Toulas
ASUS has released security updates to address CVE-2024-54085, a maximum severity flaw that could allow attackers to hijack and potentially brick servers.
The flaw impacts American Megatrends International's MegaRAC Baseboard Management Controller (BMC) software, used by over a dozen server hardware vendors, including HPE, ASUS, and ASRock.
The CVE-2024-54085 flaw is remotely exploitable, potentially leading to malware infections, firmware modifications, and irreversible physical damage through over-volting.
"A local or remote attacker can exploit the vulnerability by accessing the remote management interfaces (Redfish) or the internal host to the BMC interface (Redfish)," explained Eclypsium in a related report.
"Exploitation of this vulnerability allows an attacker to remotely control the compromised server, remotely deploy malware, ransomware, firmware tampering, bricking motherboard components (BMC or potentially BIOS/UEFI), potential server physical damage (over-voltage / bricking), and indefinite reboot loops that a victim cannot stop."
Though AMI released a bulletin along with patches on March 11, 2025, time was needed for impacted OEMs to implement the fixes on their products.
Today, ASUS announced they have released fixes for CVE-2024-54085 for four motherboard models impacted by the bug.
The updates and recommended BMC firmware version users should upgrade to are:
- PRO WS W790E-SAGE SE – version 1.1.57 (download from here)
- PRO WS W680M-ACE SE – version 1.1.21(download from here)
- PRO WS WRX90E-SAGE SE – version 2.1.28 (download from here)
- Pro WS WRX80E-SAGE SE WIFI – version 1.34.0 (download from here)