Which versions of NetMan 204 are affected by CVE-2025-71317?

Riello UPS NetMan 204 devices are vulnerable to complete unauthorized takeover through a trivial hard-coded administrative backdoor account, with publicly available exploit code creating immediate…

Is there a public PoC exploit available for CVE-2025-71317?

Yes, a public proof-of-concept exploit is available for CVE-2025-71317. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-71317?

24 HOURS: Inventory all Riello UPS NetMan 204 devices; immediately network-isolate or disconnect non-critical units; disable or reset the hard-coded 'eurek' account to a unique credential via the device management interface. 7 DAYS: Implement firewall rules and VLAN segmentation to restrict administrative access to NetMan 204; deploy network monitoring for cgi-bin/login.cgi access attempts; audit device logs for unauthorized login history. 30 DAYS: Initiate replacement procurement with patched UPS models; if replacement is operationally infeasible, establish permanent compensating controls (air-gapped management network, out-of-band monitoring).

NetMan 204 CVE-2025-71317

Q: What is the CVSS score of CVE-2025-71317?

CVE-2025-71317 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2025-210078 CRITICAL

Use of Hard-coded Credentials (CWE-798)

2026-06-05 VulnCheck

GHSA-w87w-x2c9-f3pw

Authentication Bypass Netman 204

9.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

9.3 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 05, 2026 - 18:32 vuln.today

CVSS changed

Jun 05, 2026 - 18:22 NVD

9.8 (CRITICAL) 9.3 (CRITICAL)

DescriptionCVE.org

NetMan 204 contains a hard-coded backdoor account with the username and password 'eurek' that grants administrative access. A remote, unauthenticated attacker can authenticate through the cgi-bin/login.cgi endpoint (for example /cgi-bin/login.cgi?username=eurek&password=eurek, which due to lax parameter validation can be shortened to /cgi-bin/login.cgi?username=eurek%20eurek) to obtain administrator privileges, allowing them to alter device configuration, enable the telnet/SSH services, and reset local user credentials.

AnalysisAI

Remote unauthenticated administrative access to Riello UPS NetMan 204 devices is possible via a hard-coded backdoor account ('eurek'/'eurek') exposed through the cgi-bin/login.cgi endpoint. The flaw (CWE-798) carries a CVSS 4.0 base of 9.3 and publicly available exploit code exists (Exploit-DB 52183, VulnCheck advisory), enabling full takeover of UPS management functions including configuration changes and enabling telnet/SSH. No public exploit identified at time of analysis as actively exploited in CISA KEV, but the trivially abusable static credential makes opportunistic exploitation highly likely.

Technical ContextAI

NetMan 204 is a network management card produced by Riello UPS for remote monitoring and control of uninterruptible power supplies, commonly deployed in data centers, industrial environments, and critical-infrastructure power distribution. The vulnerability is rooted in CWE-798 (Use of Hard-coded Credentials): the firmware ships with an undocumented administrator account whose username and password are both 'eurek', validated through the cgi-bin/login.cgi web interface. A secondary parsing weakness in the CGI handler treats a single space-delimited query parameter ('username=eurek%20eurek') equivalently to separate username and password parameters, demonstrating lax input parsing on top of the credential issue. CPE coverage (cpe:2.3:a:riello_ups:netman_204:*) indicates all firmware versions of the NetMan 204 card are presently in scope.

RemediationAI

No vendor-released patched version is independently confirmed in the available data; defenders should monitor the Riello downloads portal at https://www.riello-ups.com/downloads/25-netman-204 for an updated NetMan 204 firmware that removes the 'eurek' account and review the VulnCheck advisory at https://www.vulncheck.com/advisories/netman-204-hard-coded-backdoor-credentials for any vendor coordination updates. Until a fix is installed, immediately remove the NetMan 204 web management interface from internet exposure by placing it behind a management VLAN or firewall ACL restricting access to known administrative source IPs, which trades remote convenience for safety. Disable any port-forwarding rules to the device, and where the device supports it disable telnet/SSH services so that an attacker who does authenticate via the backdoor cannot easily pivot to interactive shells; this reduces post-compromise utility but does not block the configuration-tampering paths through the web UI itself. Monitor web logs for requests to /cgi-bin/login.cgi containing the string 'eurek' as a high-fidelity indicator of exploitation attempts.

CVE-2025-71317 vulnerability details – vuln.today

Back