According to cybersecurity firm CyberDanube, hackers can exploit vulnerabilities in Riello UPS devices, potentially allowing them to take control of these systems. Riello Elettronica, an Italian company leading in the uninterruptible power supply (UPS) market, has yet to patch two security flaws found in its NetMan 204 network communications card, which integrates UPS systems into larger networks.

The first vulnerability, identified as CVE-2024-8877, is an SQL injection flaw that allows attackers to modify log data without authentication. The second vulnerability, CVE-2024-8878, enables an unauthenticated attacker to retrieve a device’s ID, which can be used to reset the password and gain control of the UPS, potentially shutting it down.

While these devices are typically accessible only from internal networks, some are directly exposed to the internet, especially in Italy and other European countries, raising the risk of exploitation. CyberDanube disclosed these vulnerabilities to Riello in June 2024, but the company has indicated that addressing the issues will take longer than initially expected, with no fix available by the initial deadline of September 19.

Related LInk – https://cyberdanube.com/en/en-multiple-vulnerabilities-in-riello-netman-204/index.html