Skip to main content
Hitachi Vantara Knowledge

MegaRAC BMC Vulnerabilities Affecting Compute Servers

Priority: High

Status: In Progress- Undergoing Analysis


First Published: 23 December 2022

Advisory Version: 1.1

References: CVE-2022-40259CVE-2022-40242CVE-2022-2827



Three security vulnerabilities affecting the MegaRAC Baseboard Management Controller (BMC) software from American Megatrends were recently discovered. These vulnerabilities are:

CVE-2022-40259: AMI MegaRAC Redfish Arbitrary Code Execution
CVE-2022-40242: MegaRAC Default Credentials Vulnerability
CVE-2022-2827: Out-of-bounds Read in GitHub repository vim/vim prior to 9.0

The MegaRAC BMC software is commonly used by many server vendors.

Affected Products

Vulnerable Products

The following matrix lists Hitachi Vantara server products which have been confirmed to be affected by any of these vulnerabilities. If a Fixed Release Version is accompanied by a future date, the date is the best estimate we can provide based on current information and mitigation testing progress. If no Fixed Release Version is indicated for an affected product, Hitachi Vantara is continuing to evaluate the fix, and will update this advisory as additional information becomes available.

Product Fixed Release Version
Compute Products
Hitachi Advanced Server DS120 (G1), DS220 (G1), DS225 (G1), DS240 (G1) 

· CVE-2022-40259: Not affected. Vulnerable code is not present.
· CVE-2022-40242: Not affected. Conditions for occurrence not met.
· CVE-2022-2827: Affected. Will be fixed in BMC 4.76.06 (release in January, 2023)


Hitachi Advanced Server DS120 (G2), DS220 (G2) · CVE-2022-40259: Affected. Will be fixed in BMC 3.34.06
· CVE-2022-40242: Not affected. Conditions for occurrence not met.
· CVE-2022-2827: Affected. Will be fixed in BMC 3.34.06
Server for Solutions, Single-Node D51B-2U, T41S-2U · CVE-2022-40259: Not Affected. Vulnerable code is not present
· CVE-2022-40242: Affected. Suggest disabling SSH service by IPMI command
· CVE-2022-2827: Not Affected.



Products Confirmed Not Vulnerable

At the time of this advisory's publication, only products listed in the Vulnerable Products section above are confirmed to be affected by this vulnerability.


Recommended Actions

Please continue to check this Security Advisory, as new information will be added to it as it becomes available.



If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.

The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.