Vulnerability Overview

Vulnerability Name: Riello UPS NetMan 208 Arbitrary File Upload and Remote Code Execution
CVE ID: CVE-2025-68916
Affected Product: Riello UPS NetMan 208
Affected Versions: All firmware versions before 1.12
Vulnerability Type: Directory Traversal leading to Arbitrary File Upload and Remote Code Execution
Attack Vector: Network (HTTP)
Authentication Required: No
User Interaction Required: No

Risk and Severity

CVSS v3.1 Score: 9.8 (Critical)
Severity: Critical

Estimated CVSS Vector:
AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H

This vulnerability allows a complete compromise of the device without authentication and can be exploited remotely with minimal effort.

Exploitability and Threat Context

Exploitability: High

Exploit Availability:
Exploitation does not require specialized tools or credentials. A simple crafted HTTP request is enough to trigger the flaw. Due to the simplicity of the attack and the critical role of UPS management devices, this vulnerability is highly likely to be exploited if exposed.

UPS devices are often deployed in trusted internal networks and may not be closely monitored, increasing the risk of unnoticed compromise.

Technical Details

The NetMan 208 web interface exposes the following CGI endpoint:

/cgi-bin/certsupload.cgi

This endpoint is designed to upload certificate files. However, the application does not properly validate user-supplied input in the filename parameter.

Because directory traversal sequences such as ../ are not filtered, an attacker can escape the intended upload directory and write files to arbitrary locations on the device filesystem.

If a malicious script is uploaded to a web-accessible or executable directory, it can be executed remotely, resulting in full system compromise.

Exploitation Flow

1. An attacker sends an HTTP POST request to /cgi-bin/certsupload.cgi
2. The filename parameter contains directory traversal sequences
3. A malicious file is written outside the intended directory
4. The attacker accesses the uploaded file through the web interface
5. Arbitrary system commands are executed on the device

Example Exploitation Payloads

Directory Traversal Upload

filename=../../../../usr/local/www/shell.cgi

Example Command Execution Script

#!/bin/sh
echo "Content-Type: text/plain"
echo ""
id
uname -a

This script demonstrates how system commands can be executed once the file is placed on the device.

MITRE ATT&CK Mapping

Detection and Monitoring

Indicators of Compromise

• Unexpected executable files such as .cgi or .sh
• File creation or modification in the following directories: /www/ /usr/local/www/
• Suspicious HTTP POST requests to /cgi-bin/certsupload.cgi

Recommended Log Sources

• Web server access logs
• CGI execution logs
• System logs showing file creation or execution
• Network IDS/IPS logs
• File Integrity Monitoring (FIM)

Detection Rules

Network Detection:
Alert on HTTP POST requests to /cgi-bin/certsupload.cgi that contain directory traversal patterns such as ../ or encoded equivalents.

SIEM Correlation:
Correlate file upload activity with the appearance of new executable files followed by HTTP access to those files.

Remediation

Official Patch

Upgrade the device firmware to version 1.12 or later.

Official Riello Firmware Download Page:
https://www.riello-ups.com/support/firmware

Select NetMan 208 and install firmware version 1.12 or newer.

Temporary Mitigations

• Restrict access to the management interface
• Place the device on a dedicated management network
• Block access to /cgi-bin/ paths where possible
• Disable the web interface if it is not required

Final Takeaway

If exploited, this vulnerability allows attackers to fully control the UPS management interface, disrupt power operations, hide malicious activity, and use the device as a pivot point into internal networks.

Due to the critical nature of UPS infrastructure, this issue should be treated as a high-priority security risk requiring immediate remediation.