Hackers can take control of Riello UPS devices by exploiting vulnerabilities that likely remain unpatched, according to CyberDanube, an Austria-based firm specializing in industrial cybersecurity.
Italy-based Riello Elettronica describes itself as an electrical manufacturing sector company that is a leader in the uninterruptible power supply (UPS) market.
However, according to CyberDanube, the vendor has not been able to address two vulnerabilities found in the company’s NetMan 204 network communications card, which is used to integrate Riello UPS systems into medium or large networks.
One of the flaws, tracked as CVE-2024-8877, is an SQL injection vulnerability that can be exploited without authentication to modify log data. The second issue, CVE-2024-8878, allows an unauthenticated attacker to obtain an ID associated with a device.
“This ID can be used to calculate the recovery code for resetting the password. This enables an attacker to take over control of the UPS and e.g. turn it off,” CyberDanube said in its advisory.
CyberDanube’s founder and technical director, Thomas Weber, told SecurityWeek that Riello UPS devices are typically only accessible from the internal network, but a few dozen devices appear to be directly exposed to the internet and roughly 20 of them expose a web interface that is needed to exploit the vulnerability and take control of a device.
Most of the exposed UPS devices are in Italy and other European countries, Weber said.
According to a timeline published by CyberDanube, the security holes were disclosed to the vendor in June, but Riello indicated that it would take longer than September 19 to address the vulnerabilities.
Advertisement. Scroll to continue reading.
CyberDanube decided to make its findings public — including technical information — after the vendor was unable to provide a status update on several occasions. The security firm gives vendors 90 days to patch vulnerabilities, as per its responsible disclosure rules.
SecurityWeek reached out to Riello for comment prior to the publication of this article, but has not received a response.