CVE-2025-71317 Overview
CVE-2025-71317 is a hard-coded credentials vulnerability ([CWE-798]) affecting the Riello UPS NetMan 204 network management card. The device ships with a built-in backdoor account using the username and password eurek, granting full administrative access. A remote, unauthenticated attacker can authenticate through the cgi-bin/login.cgi endpoint to take complete control of the device. Successful exploitation allows attackers to alter device configuration, enable telnet and SSH services, and reset local user credentials. The NetMan 204 is deployed in industrial and data center environments to manage uninterruptible power supplies.
Critical Impact
Unauthenticated remote attackers gain administrative control of NetMan 204 UPS management cards, enabling configuration changes, service activation, and credential resets that compromise power infrastructure availability.
Affected Products
- Riello UPS NetMan 204 network management card
- NetMan 204 firmware distributed via the Riello UPS download portal
- UPS deployments using the NetMan 204 communication module
Discovery Timeline
- 2026-06-05 - CVE-2025-71317 published to NVD
- 2026-06-05 - Last updated in NVD database
Technical Details for CVE-2025-71317
Vulnerability Analysis
The NetMan 204 firmware contains an embedded administrative account with static credentials that cannot be removed or modified through normal device administration. The username and password are both set to eurek, suggesting a developer or factory account that was never stripped from production firmware. This account bypasses any password policy or user management configured by the device owner.
The authentication handler at /cgi-bin/login.cgi accepts these credentials over the network without any rate limiting or source restriction. Because the backdoor account holds administrator privileges, an attacker inherits full control over UPS configuration and exposed management services. The flaw is classified under [CWE-798] Use of Hard-coded Credentials.
Root Cause
The root cause is the inclusion of static administrative credentials within the shipped firmware. Compounding the issue, the login.cgi endpoint performs lax parameter validation. The parser accepts a URL-encoded space character as a delimiter between the username and password fields, allowing both credentials to be supplied within a single parameter.
Attack Vector
Exploitation requires only network reachability to the NetMan 204 web interface. An attacker sends a GET request such as /cgi-bin/login.cgi?username=eurek&password=eurek to authenticate as administrator. Due to parameter parsing weakness, the request can also be shortened to /cgi-bin/login.cgi?username=eurek%20eurek, where %20 represents an encoded space. Once authenticated, the attacker enables telnet or SSH for persistence, modifies UPS shutdown thresholds, or resets credentials to lock out legitimate operators. Public exploit code is available through Exploit-DB entry 52183.
Detection Methods for CVE-2025-71317
Indicators of Compromise
- HTTP requests to /cgi-bin/login.cgi containing the string eurek in either the username or password parameter.
- Unexpected enablement of telnet (TCP/23) or SSH (TCP/22) services on NetMan 204 devices that were previously disabled.
- Sudden changes to local user accounts, password resets, or new administrative sessions originating from unrecognized source IP addresses.
Detection Strategies
- Inspect web server and reverse proxy logs in front of UPS management interfaces for any GET request to login.cgi that includes eurek as a credential value.
- Alert on URL-encoded space sequences (%20) within the username parameter of login.cgi, which indicate use of the shortened backdoor exploitation pattern.
- Baseline NetMan 204 configuration and detect drift in user accounts, enabled services, and SNMP community strings.
Monitoring Recommendations
- Forward NetMan 204 syslog output to a central log platform and alert on authentication events for the eurek account.
- Monitor north-south network flows for inbound connections to UPS management interfaces from outside designated management VLANs.
- Track new telnet and SSH listeners on operational technology segments using network detection tooling.
How to Mitigate CVE-2025-71317
Immediate Actions Required
- Remove NetMan 204 management interfaces from the public internet and any untrusted network segment immediately.
- Place affected UPS devices behind a firewall that restricts access to cgi-bin/login.cgi to a small set of administrative source addresses.
- Audit each NetMan 204 for unauthorized configuration changes, enabled telnet or SSH services, and unexpected user accounts.
Patch Information
Review the VulnCheck advisory for the NetMan 204 hard-coded backdoor for vendor remediation status. Updated firmware, when released, will be available through the Riello UPS NetMan 204 download page. Apply the latest firmware that explicitly removes the eurek account once available, and validate the fix by attempting authentication with the backdoor credentials after the upgrade.
Workarounds
- Enforce network segmentation that isolates UPS management interfaces on a dedicated out-of-band VLAN with no internet egress.
- Restrict access to /cgi-bin/login.cgi using an upstream reverse proxy or firewall ACL that blocks any request containing username=eurek.
- Disable telnet and SSH services on the NetMan 204 unless actively required, and re-verify their state after any configuration change.
# Example firewall rule restricting NetMan 204 management access to a jump host
iptables -A FORWARD -p tcp -d <netman204_ip> --dport 80 -s <admin_jump_host_ip> -j ACCEPT
iptables -A FORWARD -p tcp -d <netman204_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <netman204_ip> --dport 443 -s <admin_jump_host_ip> -j ACCEPT
iptables -A FORWARD -p tcp -d <netman204_ip> --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

