Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71317

CVE-2025-71317: NetMan 204 Auth Bypass Vulnerability

CVE-2025-71317 is an authentication bypass flaw in NetMan 204 caused by a hard-coded backdoor account. Attackers can gain full admin access remotely. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-71317 Overview

CVE-2025-71317 is a hard-coded credentials vulnerability ([CWE-798]) affecting the Riello UPS NetMan 204 network management card. The device ships with a built-in backdoor account using the username and password eurek, granting full administrative access. A remote, unauthenticated attacker can authenticate through the cgi-bin/login.cgi endpoint to take complete control of the device. Successful exploitation allows attackers to alter device configuration, enable telnet and SSH services, and reset local user credentials. The NetMan 204 is deployed in industrial and data center environments to manage uninterruptible power supplies.

Critical Impact

Unauthenticated remote attackers gain administrative control of NetMan 204 UPS management cards, enabling configuration changes, service activation, and credential resets that compromise power infrastructure availability.

Affected Products

  • Riello UPS NetMan 204 network management card
  • NetMan 204 firmware distributed via the Riello UPS download portal
  • UPS deployments using the NetMan 204 communication module

Discovery Timeline

  • 2026-06-05 - CVE-2025-71317 published to NVD
  • 2026-06-05 - Last updated in NVD database

Technical Details for CVE-2025-71317

Vulnerability Analysis

The NetMan 204 firmware contains an embedded administrative account with static credentials that cannot be removed or modified through normal device administration. The username and password are both set to eurek, suggesting a developer or factory account that was never stripped from production firmware. This account bypasses any password policy or user management configured by the device owner.

The authentication handler at /cgi-bin/login.cgi accepts these credentials over the network without any rate limiting or source restriction. Because the backdoor account holds administrator privileges, an attacker inherits full control over UPS configuration and exposed management services. The flaw is classified under [CWE-798] Use of Hard-coded Credentials.

Root Cause

The root cause is the inclusion of static administrative credentials within the shipped firmware. Compounding the issue, the login.cgi endpoint performs lax parameter validation. The parser accepts a URL-encoded space character as a delimiter between the username and password fields, allowing both credentials to be supplied within a single parameter.

Attack Vector

Exploitation requires only network reachability to the NetMan 204 web interface. An attacker sends a GET request such as /cgi-bin/login.cgi?username=eurek&password=eurek to authenticate as administrator. Due to parameter parsing weakness, the request can also be shortened to /cgi-bin/login.cgi?username=eurek%20eurek, where %20 represents an encoded space. Once authenticated, the attacker enables telnet or SSH for persistence, modifies UPS shutdown thresholds, or resets credentials to lock out legitimate operators. Public exploit code is available through Exploit-DB entry 52183.

Detection Methods for CVE-2025-71317

Indicators of Compromise

  • HTTP requests to /cgi-bin/login.cgi containing the string eurek in either the username or password parameter.
  • Unexpected enablement of telnet (TCP/23) or SSH (TCP/22) services on NetMan 204 devices that were previously disabled.
  • Sudden changes to local user accounts, password resets, or new administrative sessions originating from unrecognized source IP addresses.

Detection Strategies

  • Inspect web server and reverse proxy logs in front of UPS management interfaces for any GET request to login.cgi that includes eurek as a credential value.
  • Alert on URL-encoded space sequences (%20) within the username parameter of login.cgi, which indicate use of the shortened backdoor exploitation pattern.
  • Baseline NetMan 204 configuration and detect drift in user accounts, enabled services, and SNMP community strings.

Monitoring Recommendations

  • Forward NetMan 204 syslog output to a central log platform and alert on authentication events for the eurek account.
  • Monitor north-south network flows for inbound connections to UPS management interfaces from outside designated management VLANs.
  • Track new telnet and SSH listeners on operational technology segments using network detection tooling.

How to Mitigate CVE-2025-71317

Immediate Actions Required

  • Remove NetMan 204 management interfaces from the public internet and any untrusted network segment immediately.
  • Place affected UPS devices behind a firewall that restricts access to cgi-bin/login.cgi to a small set of administrative source addresses.
  • Audit each NetMan 204 for unauthorized configuration changes, enabled telnet or SSH services, and unexpected user accounts.

Patch Information

Review the VulnCheck advisory for the NetMan 204 hard-coded backdoor for vendor remediation status. Updated firmware, when released, will be available through the Riello UPS NetMan 204 download page. Apply the latest firmware that explicitly removes the eurek account once available, and validate the fix by attempting authentication with the backdoor credentials after the upgrade.

Workarounds

  • Enforce network segmentation that isolates UPS management interfaces on a dedicated out-of-band VLAN with no internet egress.
  • Restrict access to /cgi-bin/login.cgi using an upstream reverse proxy or firewall ACL that blocks any request containing username=eurek.
  • Disable telnet and SSH services on the NetMan 204 unless actively required, and re-verify their state after any configuration change.
bash
# Example firewall rule restricting NetMan 204 management access to a jump host
iptables -A FORWARD -p tcp -d <netman204_ip> --dport 80 -s <admin_jump_host_ip> -j ACCEPT
iptables -A FORWARD -p tcp -d <netman204_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <netman204_ip> --dport 443 -s <admin_jump_host_ip> -j ACCEPT
iptables -A FORWARD -p tcp -d <netman204_ip> --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.