Summary
CVE-2025-71317 is a Critical-severity hard-coded backdoor credential vulnerability (CWE-798) in the Riello UPS NetMan 204 network management card, carrying a CVSS v4.0 score of 9.3. A remote, unauthenticated attacker can log in with the built-in account eurek/eurek via a simple HTTP request to the device’s web interface, immediately gaining full administrative control. Multiple public proof-of-concept exploits for this backdoor have existed since at least 2016, and a new exploit targeting the web interface was published in April 2025.
Technical details
- Root cause: A hard-coded backdoor account (
username: eurek,password: eurek) is embedded in the device firmware and is not removable through normal administrative procedures (CWE-798: Use of Hard-coded Credentials). - Trigger conditions: No authentication, no user interaction, and no special network position are required. Any host with HTTP/HTTPS access to the device’s management interface can exploit this.
- Attack vector: An attacker sends a crafted HTTP GET request directly to the
/cgi-bin/login.cgiendpoint — for example:http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek. Due to lax parameter validation, the request can be further shortened to/cgi-bin/login.cgi?username=eurek%20eurek. - Impact: Successful exploitation grants full administrative privileges, enabling an attacker to: alter device configuration; enable telnet and SSH services on the device; and reset local user credentials, locking out legitimate administrators. Because the NetMan 204 manages UPS (Uninterruptible Power Supply) systems, exploitation can directly impact power infrastructure availability.
- Public PoC: Multiple proof-of-concept exploits are publicly available on Exploit-DB (EDB-40431, EDB-41208, EDB-52183), spanning SSH-based and HTTP-based attack paths. The most recent (EDB-52183, April 2025) also documents additional unauthenticated access to administrative pages including reboot, shutdown, and bypass commands.
Affected software
- Riello UPS NetMan 204 — all known firmware versions (no fixed version has been confirmed by the vendor)
Severity
- CVSS v4.0: 9.3 (Critical) —
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - CVSS v3.1: 9.8 (Critical) —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Mitigation and recommended actions
- No vendor-confirmed patch is currently available. Riello has published firmware update packages (Application 4.07 / OS Version 24-1 for 4GB models; Application 2.22 for legacy models) at the official downloads page — administrators should apply the latest available firmware and monitor Riello’s release notes for a security fix addressing this backdoor.
- Network isolation: Immediately restrict access to the NetMan 204 management interface (HTTP/HTTPS, SSH, Telnet) to trusted management networks or hosts only. Do not expose the web interface directly to the internet.
- Firewall rules: Block external access to the device’s management ports at the perimeter. Validate that no NetMan 204 devices are reachable from untrusted networks.
- Monitoring: Enable logging on upstream network controls to detect authentication attempts against
/cgi-bin/login.cgiusing theeurekcredential.
IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.