CVE-2025-71318 Overview
CVE-2025-71318 is a missing authentication vulnerability [CWE-306] affecting the Riello NetMan 204 network management card for Uninterruptible Power Supply (UPS) systems. The device fails to enforce authentication on its administrative pages and command endpoints. A remote, unauthenticated attacker can directly request administrative pages such as administration.html, administration-commands.html, and configuration.html to disclose sensitive information including Lightweight Directory Access Protocol (LDAP) configuration and active user details. The same flaw allows attackers to invoke privileged UPS control commands without credentials.
Critical Impact
Unauthenticated attackers can trigger UPS shutdown, reboot, switch-on-bypass, and battery test operations on exposed NetMan 204 devices, leading to direct disruption of power delivery to connected infrastructure.
Affected Products
- Riello NetMan 204 network management card
- Connected UPS systems managed through the NetMan 204 web interface
- Environments exposing the NetMan 204 administrative HTTP service to untrusted networks
Discovery Timeline
- 2026-06-05 - CVE-2025-71318 published to the National Vulnerability Database (NVD)
- 2026-06-05 - Last updated in NVD database
Technical Details for CVE-2025-71318
Vulnerability Analysis
The NetMan 204 web management interface exposes administrative resources and command handlers without verifying caller identity. Pages such as administration.html, administration-commands.html, and configuration.html return their content to any HTTP client that requests them. These pages reveal LDAP server configuration, bind credentials context, and currently active user sessions.
The same authentication gap extends to the command-processing endpoints reachable from those pages. An attacker can submit requests that map directly to UPS control primitives: shutdown, reboot, switch-on-bypass, and battery test. Because the device sits between facility power and downstream loads, command execution translates immediately into physical impact on servers, network equipment, and industrial controllers powered by the UPS.
Root Cause
The firmware does not implement an authentication check on protected URIs and command handlers. Access control is effectively missing rather than misconfigured, which aligns with [CWE-306] Missing Authentication for Critical Function. Session enforcement that would normally gate the administrative routes is absent, so authenticated and unauthenticated requests are processed identically.
Attack Vector
Exploitation requires only network reach to the NetMan 204 HTTP service. The attacker issues an HTTP GET against the administrative pages to harvest configuration data, then issues the corresponding command request to drive UPS state changes. No credentials, user interaction, or prior foothold are needed. Detailed request structure is published in Exploit-DB #52183 and the VulnCheck Advisory on NetMan 204.
Detection Methods for CVE-2025-71318
Indicators of Compromise
- Unauthenticated HTTP GET requests to /administration.html, /administration-commands.html, or /configuration.html from sources outside the management network.
- UPS log entries showing shutdown, reboot, switch-on-bypass, or battery test commands issued without a corresponding administrator login event.
- Outbound LDAP probing originating from hosts that previously queried NetMan 204 configuration pages.
Detection Strategies
- Inspect web server and proxy logs in front of NetMan 204 devices for direct requests to administrative URIs from non-administrator subnets.
- Correlate UPS command execution events with authentication events. Commands without a preceding successful login indicate exploitation of CVE-2025-71318.
- Alert on HTTP responses from NetMan 204 that disclose LDAP fields or user lists to clients outside the operations VLAN.
Monitoring Recommendations
- Forward NetMan 204 syslog and HTTP access logs to a central SIEM or data lake for retention and correlation.
- Baseline expected administrators and source IPs for the UPS management interface, then alert on deviations.
- Monitor power state telemetry for unexpected transitions to bypass mode or battery test, which can indicate remote command abuse.
How to Mitigate CVE-2025-71318
Immediate Actions Required
- Remove the NetMan 204 web interface from any internet-facing network and restrict access to a dedicated management VLAN.
- Place the device behind an ACL or firewall that permits HTTP access only from named administrator workstations.
- Audit recent UPS command history for unauthorized shutdown, reboot, switch-on-bypass, or battery test events.
- Rotate LDAP bind credentials referenced in the NetMan 204 configuration in case they were exposed.
Patch Information
No vendor patch is referenced in the NVD entry at the time of publication. Consult the VulnCheck Advisory on NetMan 204 and the Riello UPS Documentation for current firmware availability and vendor guidance before deploying compensating controls long-term.
Workarounds
- Enforce network segmentation so the NetMan 204 administrative interface is unreachable from user, guest, or internet-exposed segments.
- Front the device with a reverse proxy that performs authentication and IP allow-listing before forwarding requests.
- Disable the HTTP management interface where SNMP or serial management is sufficient for operations.
- Subscribe to vendor notifications and apply firmware updates promptly once Riello publishes a fix.
# Configuration example: restrict NetMan 204 management interface with iptables
# Allow only the management subnet 10.10.50.0/24 to reach the UPS web UI at 10.20.0.15
iptables -A FORWARD -s 10.10.50.0/24 -d 10.20.0.15 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 10.10.50.0/24 -d 10.20.0.15 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 10.20.0.15 -p tcp --dport 80 -j DROP
iptables -A FORWARD -d 10.20.0.15 -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

