The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added three security flaws, each impacting AMI MegaRAC, D-Link DIR-859 router, and Fortinet FortiOS, to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The list of vulnerabilities is as follows -
- CVE-2024-54085 (CVSS score: 10.0) - An authentication bypass by spoofing vulnerability in the Redfish Host Interface of AMI MegaRAC SPx that could allow a remote attacker to take control
- CVE-2024-0769 (CVSS score: 5.3) - A path traversal vulnerability in D-Link DIR-859 routers that allows for privilege escalation and unauthorized control (Unpatched)
- CVE-2019-6693 (CVSS score: 4.2) - A hard-coded cryptographic key vulnerability in FortiOS, FortiManager and FortiAnalyzer that's used to encrypt password data in CLI configuration, potentially allowing an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data
Firmware security company Eclypsium, which disclosed CVE-2024-54085 earlier this year, said the flaw could be exploited to carry out a wide-range of malicious actions, including deploying malware and tampering with device firmware.
There are currently no details on how the shortcoming is being weaponized in the wild, who may be exploiting it, and the scale of the attacks. When reached for comment, Eclypsium said there has been no public attribution for these attacks, but suspected China-nexus threat actors such as Volt Typhoon, Salt Typhoon, Flax Typhoon, APT31, APT41, and Velvet Ant as "likely candidates."
Some of these state-sponsored groups, it said, have been implicated in campaigns that revolve around the use of firmware backdoors and Unified Extensible Firmware Interface (UEFI) implants for persistence and stealth.
"The vulnerability can be exploited by making an HTTP POST request to a vulnerable BMC device," Paul Asadoorian, Principal Security Researcher at Eclypsium, told The Hacker News. "The example exploit code was published, allowing a remote attacker to create an administrator account on the BMC without prior authentication."
"To our knowledge, how the attackers used the exploit in the wild, post-exploitation details, IoCs, and malware samples have not been made publicly available."
Some of the post-exploitation actions that an attacker can carry out post a BMC compromise are listed below -
- Attackers could chain multiple BMC exploits to implant malicious code directly into the BMC's firmware, making their presence extremely difficult to detect and allowing them to survive OS reinstalls or even disk replacements.
- By operating below the OS, attackers can evade endpoint protection, logging, and most traditional security tools.
- With BMC access, attackers can remotely power on or off, reboot, or reimage the server, regardless of the primary operating system's state.
- Attackers can scrape credentials stored on the system, including those used for remote management, and use the BMC as a launchpad to move laterally within the network
- BMCs often have access to system memory and network interfaces, enabling attackers to sniff sensitive data or exfiltrate information without detection
- Attackers with BMC access can intentionally corrupt firmware, rendering servers unbootable and causing significant operational disruption
Eclypsium also noted that there are about 2,000 exposed AMI MegaRAC BMCs accessible on the internet, with many more accessible internally. Companies known to use the affected product line include AMD, Ampere Computing, ASRock, ARM, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm.
The exploitation of CVE-2024-0769 was revealed by threat intelligence firm GreyNoise exactly a year ago as part of a campaign designed to dump account names, passwords, groups, and descriptions for all users of the device.
It's worth noting that D-Link DIR-859 routers have reached end-of-life (EoL) as of December 2020, meaning the vulnerability will remain unpatched on these devices. Users are advised to retire and replace the product.
As for the abuse of CVE-2019-6693, multiple security vendors have reported that threat actors linked to the Akira ransomware scheme have leveraged the vulnerability to obtain initial access to target networks.
In light of the active exploitation of these flaws, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary mitigations by July 16, 2025, to secure their networks.
(The story was updated after publication to include a response from Eclypsium.)
