CVE-2025-68914
SQL Injection in Riello UPS NetMan 208 Login CGI Allows Data Deletion
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| riello | netman | 1.12 |
| riello | netman_208_application | 1.12 |
| riello | netman_208_application | 1.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how CVE-2025-68914 affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2025-68914 is an unauthenticated SQL Injection vulnerability in the Riello UPS NetMan 208 Application before version 1.12. It occurs in the username parameter of the /cgi-bin/login.cgi login process. An attacker can execute SQL commands on the LOGINFAILEDTABLE, such as deleting all entries, which resets the account lockout mechanism and allows unlimited login attempts. This vulnerability is part of multiple issues in the device that also include remote command execution and stored XSS. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass brute-force protections by deleting the LOGINFAILEDTABLE entries, enabling unlimited login attempts without account lockout. This can lead to unauthorized access to the device. Additionally, combined with other vulnerabilities, it can result in remote code execution and persistent cross-site scripting attacks, potentially leading to full system compromise of the Riello UPS NetMan 208 appliance. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /cgi-bin/login.cgi endpoint for SQL injection in the username parameter. For example, sending a POST request with payload username=admin';DELETE FROM LOGINFAILEDTABLE WHERE 1=1; -- can confirm the SQL injection vulnerability if the LOGINFAILEDTABLE is cleared. A sample curl command to test this is: curl -X POST -d "username=admin';DELETE FROM LOGINFAILEDTABLE WHERE 1=1; --&password=any" http://<target-ip>/cgi-bin/login.cgi. Monitoring for unusual POST requests to /cgi-bin/login.cgi or unexpected resets of login failure counters can also indicate exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Riello UPS NetMan 208 Application to version 1.12 or later, which addresses these vulnerabilities. Until the patch is applied, restrict network access to the device's management interface to trusted hosts only, monitor and block suspicious POST requests to /cgi-bin/login.cgi, and disable or restrict access to vulnerable CGI scripts if possible. Additionally, review and harden authentication mechanisms and monitor for signs of exploitation such as unexpected resets of login failure tables. [1]