The spoofing attack works by manipulating HTTP request headers sent to the Redfish interface. Attackers can add specific values to headers like “X-Server-Addr” to make their external requests appear as if they’re coming from inside the server itself. Since the system automatically trusts internal requests as authenticated, this spoofing technique grants attackers administrator privileges without needing valid credentials.
Slow vendor response creates risk window
The vulnerability exemplifies complex enterprise security challenges posed by firmware supply chains. AMI sits at the top of the server supply chain, but each vendor must integrate patches into their own products before customers can deploy them.
Lenovo took until April 17 to release its patch, while Asus patches for four motherboard models only appeared in recent weeks. Hewlett Packard Enterprise was among the faster responders, releasing updates in March for its Cray XD670 systems used in AI and high-performance computing workloads.
The patching delays are particularly concerning given the vulnerability’s scope. Manufacturers known to use AMI’s MegaRAC SPx BMC include AMD, Ampere Computing, ASRock, ARM, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm, representing a significant portion of enterprise server infrastructure. NetApp also confirmed in its security advisory NTAP-20250328-0003 that multiple NetApp products incorporating MegaRAC BMC firmware are also affected, expanding the impact to storage infrastructure.
Dell had earlier confirmed its systems are unaffected since it uses its own iDRAC management technology instead of AMI’s MegaRAC.
Enterprise operations at risk
This widespread vendor impact translates into serious operational risks for enterprises. BMCs operate at a privileged level below the main operating system, making attacks particularly dangerous.
