CVE-2023-37297 is a high-severity heap-based buffer overflow vulnerability (CWE-122) found in AMI's MegaRAC_SPx Baseboard Management Controller (BMC) firmware versions 12 and 13. The vulnerability arises from improper handling of heap memory within the BMC, which can be triggered by an attacker with network adjacency to the device. Exploitation does not require authentication or user interaction but does require high attack complexity, indicating that the attacker must have a certain level of access or capability to trigger the flaw. Successful exploitation can lead to heap memory corruption, potentially allowing an attacker to execute arbitrary code, cause denial of service, or escalate privileges within the BMC environment. Given the BMC's critical role in out-of-band management of servers, compromising it can result in full control over the server hardware, impacting confidentiality, integrity, and availability of the managed systems. The vulnerability has a CVSS v3.1 score of 8.3 (high), with the vector indicating attack via adjacent network (AV:A), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and complete impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No public exploits are currently known, and no patches have been linked yet, though the vulnerability was published in January 2024 and reserved in June 2023.

For European organizations, this vulnerability poses a significant risk, especially for enterprises and data centers relying on AMI MegaRAC_SPx BMCs for server management. Compromise of the BMC can allow attackers to bypass operating system-level security controls, manipulate firmware, or disrupt server availability, which is critical for sectors such as finance, healthcare, government, and telecommunications. The loss of confidentiality could lead to exposure of sensitive data, while integrity breaches could allow tampering with system configurations or logs, undermining trust and compliance with regulations like GDPR. Availability impacts could cause service outages, affecting business continuity. Given the vulnerability requires network adjacency, attackers within the same local or management network segment could exploit it, emphasizing the need for strict network segmentation and monitoring. The lack of known exploits reduces immediate risk but does not eliminate the threat, as weaponization could occur rapidly once details are public.

European organizations should immediately inventory their infrastructure to identify servers using AMI MegaRAC_SPx versions 12 or 13. Network segmentation should be enforced to isolate BMC management interfaces from general user and internet-facing networks, restricting access to trusted administrators only. Implement strict firewall rules and access control lists to limit adjacency exposure. Monitor network traffic for anomalous activity targeting BMC interfaces. Employ multi-factor authentication and strong credential management for BMC access where applicable. Since no patches are currently linked, organizations should engage with AMI support for updates or workarounds and apply firmware updates as soon as they become available. Additionally, consider deploying intrusion detection/prevention systems tailored to detect exploitation attempts against BMC vulnerabilities. Regularly review and update incident response plans to include scenarios involving BMC compromise.