September 24, 2024 at 09:36AM
Riello UPS devices are vulnerable to hackers due to unpatched vulnerabilities according to Austria-based firm CyberDanube. The vulnerabilities in the NetMan 204 network communications card enable attackers to take control of the UPS systems, posing a risk to devices directly exposed to the internet. Riello is yet to address these flaws, as disclosed by CyberDanube after the vendor failed to provide a status update.
From the meeting notes, it is clear that Riello UPS devices are vulnerable to exploitation by hackers due to unpatched vulnerabilities, as reported by CyberDanube, an Austria-based firm specializing in industrial cybersecurity.
Two vulnerabilities in the NetMan 204 network communications card, used to integrate Riello UPS systems into medium or large networks, have been identified. One vulnerability (CVE-2024-8877) allows for SQL injection to modify log data without authentication, while the other (CVE-2024-8878) enables an unauthenticated attacker to obtain an ID associated with a device, which can be used to calculate the recovery code for resetting the password and taking control of the UPS.
Although most of the exposed UPS devices are in Italy and other European countries, the security firm CyberDanube has also discovered that a few dozen devices are directly exposed to the internet, with roughly 20 of them exposing a web interface needed to exploit the vulnerability and take control of a device.
It is important to note that CyberDanube disclosed the security holes to the vendor in June, but Riello indicated that it would take longer than September 19 to address the vulnerabilities. As CyberDanube’s responsible disclosure rules mandate a 90-day patch timeline, the security firm decided to make its findings public, including technical information, after the vendor was unable to provide a status update on several occasions.
It’s also worth noting that Riello has not responded to requests for comment from SecurityWeek regarding the vulnerabilities.
Additionally, it’s mentioned that Riello Elettronica, the Italy-based company responsible for the UPS devices, describes itself as a leader in the uninterruptible power supply (UPS) market within the electrical manufacturing sector.
To summarize, Riello UPS devices are at risk due to unpatched vulnerabilities, and CyberDanube has made its findings public due to the vendor’s inability to address the vulnerabilities within the specified timeline.