Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added three security flaws, each impacting AMI MegaRAC, D-Link DIR-859 router, and Fortinet FortiOS, to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2024-54085 (CVSS score: 10.0) - An authentication bypass by spoofing
Analysis Summary
# Vulnerability: CISA KEV Addition: AMI MegaRAC Auth Bypass, D-Link Path Traversal, and Fortinet Hardcoded Key
## CVE Details
- CVE ID: CVE-2024-54085
- CVSS Score: 10.0 (Critical)
- CWE: N/A (Authentication Bypass by Spoofing)
- CVE ID: CVE-2024-0769
- CVSS Score: 5.3 (Medium)
- CWE: N/A (Path Traversal/Privilege Escalation)
- CVE ID: CVE-2019-6693
- CVSS Score: 4.2 (Low)
- CWE: N/A (Hardcoded Cryptographic Key)
## Affected Systems
- **Products:** AMI MegaRAC SPx (Redfish Host Interface), D-Link DIR-859 Router, Fortinet FortiOS, FortiManager, FortiAnalyzer.
- **Versions:** Specific vulnerable versions for CVE-2024-54085 and CVE-2019-6693 are not detailed in the context, but CVE-2024-0769 affects D-Link DIR-859 routers.
- **Configurations:** CVE-2024-0769 affects D-Link devices that have not been patched. CVE-2019-6693 specifically impacts access to the CLI configuration or CLI backup file.
## Vulnerability Description
1. **CVE-2024-54085 (AMI MegaRAC):** An authentication bypass flaw exists in the Redfish Host Interface of AMI MegaRAC SPx. Successful exploitation allows a remote attacker to potentially take control of the system, enabling actions such as malware deployment or firmware tampering.
2. **CVE-2024-0769 (D-Link):** A path traversal vulnerability in D-Link DIR-859 routers could lead to privilege escalation and unauthorized control over the device.
3. **CVE-2019-6693 (Fortinet):** A hard-coded cryptographic key is used to encrypt password data within the CLI configuration files for FortiOS, FortiManager, and FortiAnalyzer. An attacker accessing the configuration file (or backup) can use this key to decrypt sensitive password data.
## Exploitation
- **Status (All):** Added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating evidence of active exploitation.
- **CVE-2024-54085:** No details on how it is being weaponized, who is exploiting it, or the scale of attacks are available yet.
- **CVE-2024-0769:** Was observed being exploited a year ago in a campaign focused on dumping user account names, passwords, groups, and descriptions.
- **CVE-2019-6693:** Threat actors linked to the Akira ransomware operation have leveraged this flaw to gain initial access to target networks.
- **Complexity:** Varies (Critical 10.0 suggests low complexity for initial compromise).
## Impact
- **CVE-2024-54085:** High impact allowing remote takeover/firmware tampering. (Confidentiality, Integrity, Availability: High)
- **CVE-2024-0769:** Privilege escalation and unauthorized control. (Confidentiality, Integrity, Availability: Medium/High)
- **CVE-2019-6693:** Decryption of sensitive user credentials from configuration files. (Confidentiality: High)
## Remediation
### Patches
- Patch information for the respective vendors (AMI, D-Link, Fortinet) providing fixes for these specific CVEs should be sought directly from vendor advisories as specific patch versions were not listed.
- **Note for D-Link DIR-859:** This product reached End-of-Life (EoL) in December 2020, meaning official patches are unlikely to be issued.
### Workarounds
- **D-Link DIR-859 Users:** Advised to retire and replace the affected product immediately due to EoL status.
- **CVE-2019-6693 Mitigation:** Restrict access to CLI configuration backups and enforce strong network segmentation/monitoring around devices managing these configuration files.
- **CVE-2024-54085 Mitigation:** Organizations handling FCEB systems must apply mitigations by July 16, 2025.
## Detection
- **Indicators of Compromise (IOCs):** Not specified in the summary, but related to unauthorized remote access attempts on MegaRAC interfaces, unusual configuration file access/change, and credential dumping activity related to D-Link devices.
- **Detection Methods and Tools:** Monitoring network traffic/logs for suspicious activity against Redfish interfaces on AMI MegaRAC deployments. Monitoring for known indicators associated with Akira ransomware initial access techniques referencing Fortinet configuration files.
## References
- CISA KEV Catalog Addition: htt ps://www.cisa.gov/news-events/alerts/2025/06/25/cisa-adds-three-known-exploited-vulnerabilities-catalog
- D-Link EoL Announcement: htt ps://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10371
- Information regarding CVE-2024-54085 disclosure: htt ps://thehackernews.com/2025/03/new-critical-ami-bmc-vulnerability.html