Connect with us

Hi, what are you looking for?


Endpoint Security

New AMI BMC Flaws Allowing Takeover and Physical Damage Could Impact Millions of Devices

Two new serious vulnerabilities in AMI BMC, which is used by millions of devices, can allow attackers to take control of systems and cause physical damage.

Firmware and hardware security company Eclypsium has disclosed information on two new vulnerabilities found by its researchers in the American Megatrends (AMI) MegaRAC Baseboard Management Controller (BMC) software.

Eclypsium disclosed other flaws discovered as part of the same research project in December 2022. The analysis focused on information leaked as a result of a ransomware attack launched in 2021 against motherboard maker Gigabyte, a supply chain partner of AMI. The vulnerabilities discovered by the cybersecurity firm in the AMI BMC are collectively tracked as BMC&C.

The BMC software enables administrators to remotely monitor and control a device, without the need to go through the operating system or applications running on it. It can be used to update firmware, install operating systems, and analyze logs. While these features make BMC very useful, they can also make it a tempting target for threat actors.

The BMC made by AMI is present in millions of devices worldwide as it’s used in the products of major companies such as Ampere, Asrock, Asus, Arm, Dell, Gigabyte, HPE, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.

The new vulnerabilities disclosed by Eclypsium on Thursday are CVE-2023-34329, a critical authentication bypass issue that can be exploited by spoofing HTTP headers, and CVE-2023-34330, a code injection flaw. 

“When both of these vulnerabilities are chained together, even a remote attacker with network access to BMC management interface and no BMC credentials, can achieve remote code execution by tricking BMC into believing that the http request is coming from the internal interface. As a result the attacker can remotely upload and execute arbitrary code, possibly from the Internet, if the interface is exposed to it,” Eclypsium explained. 

Similar to the previously disclosed vulnerabilities, these new flaws can pose a significant risk to organizations. An attacker who has gained access to the targeted server’s BMC can conduct a wide range of activities, and the impact can be significant, particularly in the case of data centers and cloud environments.

Advertisement. Scroll to continue reading.

In one theoretical scenario described by Eclypsium, an attacker leverages existing BMC functionality to create a continuous shutdown loop on the host and prevent legitimate users from accessing it. These types of attacks are difficult to detect and address, and researchers warn that the method could be used to extort a targeted organization. 

“When this happens to a small number of machines, the impact may be limited in scale, however should the same vulnerabilities be exploited across an entire BMC management segment and affect hundreds or thousands of devices at once, the impact can be catastrophic to operations, and result in indefinite downtime with no ability to recover,” the security firm said.

Access to the BMC also allows an attacker to stealthily access KVM (keyboard/video/mouse) functionality, enabling them not only to closely monitor legitimate users but also conduct activities on their behalf using KVM inputs.

A hacker can also cause physical destruction through power management tampering, by changing CPU voltages and permanently bricking them.

BMC access can also be used for lateral movement, including to other BMCs, network devices, and even to Active Directory.  

While these vulnerabilities could pose a significant risk to millions of systems, Eclypsium is currently not aware of in-the-wild exploitation. Proof-of-concept (PoC) exploits have not been made public, but sophisticated threat actors could find the flaws on their own by looking at the same leaked information that the security firm analyzed. 

Related: CISA, NSA Share Guidance on Hardening Baseboard Management Controllers

Related: BMC Firmware Vulnerabilities Expose OT, IoT Devices to Remote Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.