Security News > 2023 > July > Critical AMI MegaRAC bugs can let hackers brick vulnerable servers
Two new critical severity vulnerabilities have been discovered in the MegaRAC Baseboard Management Controller software made by hardware and software company American Megatrends International.
MegaRAC BMC provides admins with "Out-of-band" and "Lights-out" remote system management capabilities, enabling them to troubleshoot servers as if they were physically in front of the devices.
By combining these vulnerabilities, a remote attacker with network access to the BMC management interface and lacking BMC credentials can gain remote code execution on servers running vulnerable firmware.
In December 2022 and January 2023, Eclypsium disclosed five more MegaRAC BMC vulnerabilities that could be exploited to hijack, brick, or remotely infect compromised servers with malware.
Critical ColdFusion flaws exploited in attacks to drop webshells.
Hackers exploiting critical WordPress WooCommerce Payments bug.
News URL
Related news
- Critical Zimbra RCE flaw exploited to backdoor servers using emails (source)
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers (source)
- CISA: Hackers abuse F5 BIG-IP cookies to map internal servers (source)
- GitHub Patches Critical Flaw in Enterprise Server Allowing Unauthorized Instance Access (source)
- Iranian hackers act as brokers selling critical infrastructure access (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)