Researchers found a critical vulnerability in the AMI MegaRAC baseband management controller (BMC) used by multiple server manufacturers. The vulnerability could allow attackers to bypass authentication and take control of vulnerable servers over the Redfish management interface.
“Exploitation of this vulnerability allows an attacker to remotely control the compromised server, remotely deploy malware, ransomware, firmware tampering, bricking motherboard components (BMC or potentially BIOS/UEFI), potential server physical damage (over-voltage / bricking), and indefinite reboot loops that a victim cannot stop,” researchers from firmware security company Eclypsium stated in their report.