CVE-2025-71318

NetMan 204 Missing Authentication for Administrative Functions

CVSS 9.3 CRITICALEPSS 0.5%CWE-306

NetMan 204 fails to enforce authentication on its administrative pages and command endpoints. A remote, unauthenticated attacker can directly request administrative pages (such as administration.html, administration-commands.html, and configuration.html) to disclose sensitive information including LDAP configuration and active user details, and can invoke privileged UPS control commands — including shutdown, reboot, switch-on-bypass, and battery test — without supplying any credentials.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Riello UPS · NetMan 204

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/52183unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.exploit-db.com/exploits/52183 https://www.riello-ups.com/downloads/25-netman-204 https://www.vulncheck.com/advisories/netman-204-missing-authentication-for-administrative-functions