October 3, 2023

The US CISA and the NSA have released joint guidance on hardening Baseboard Management Controllers (BMCs), an essential component embedded in computer hardware that facilitate remote management and control.

The guidance aims to address the overlooked vulnerabilities in BMCs, which can serve as potential entry points for malicious actors seeking to compromise critical infrastructure systems.

Due to their highest privilege level and network accessibility, these devices make them attractive targets for malicious actors as entry points for various cyber-attacks, such as turning off security solutions, manipulating data or propagating malicious instructions across the network infrastructure.


The joint guidance emphasizes the importance of taking proactive measures to secure and maintain BMCs effectively, adding that many organizations fail to implement even minimum-security practices.

To address these concerns, CISA and NSA recommend several key actions.

  • Protection of BMC credentials
  • Enforcing VLAN separation
  • Hardening configurations and performing routine BMC update checks
  • Monitor BMC integrity
  • Move sensitive workloads to hardened devices
  • Use firmware scanning tools periodically and treat unused BMCs as potential security risks.

By following these recommendations, organizations can significantly enhance the security posture of their BMCs and reduce the risk of potential cyber threats. For more information and detailed recommendations, refer to the official guidance document released by CISA and the NSA.

Leave a Reply

%d bloggers like this: