Firmware Update for Security Vulnerabilities Associated with AMI MegaRAC Baseboard Management Controller (BMC) Software

CVE-2022-40259, CVE-2022-40242, and CVE-2022-2827
Dec 13, 2022


BMCs provide out-of-band management for servers and motherboards. The security vulnerabilities identified are in severity of High to Critical. The impact can allow remote access and control of systems to be susceptible to malware or bricking. To mitigate the risk of exploitation, GIGABYTE has released new firmware versions.

Updated firmware versions to address the threat are available on all product pages for systems using the following BMCs:

  • ASPEED AST2500 (update to version 12.60.39)
  • ASPEED AST2600 (update to version 13.04.12)

CVE ID Vulnerability Details:

Common Vulnerabilities Exposures
(CVE) Code
Severity Rating
(CVSS v3.1 Score)
Impact of Vulnerability
CVE-2022-40259 9.8 Critical Arbitrary Code Execution via Redfish API
CVE-2022-40242 9.8 Critical Default credentials for UID = 0 shell via SSH
CVE-2022-2827 7.5 High User enumeration via API

Please navigate to the "Support" section of the relevant product page to download the updated firmware.

For any further assistance regarding this issue please contact your GIGABYTE sales representative, or create a new support ticket at