Login Sign Up

CVE-2019-16261

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to send POST requests to Tripp Lite power distribution units, enabling them to change administrative passwords or shut off power to outlets. It affects Tripp Lite PDUMH15AT and SU750XL devices running vulnerable firmware versions. Organizations using these devices for critical infrastructure power management are at risk.

💻 Affected Systems

Products:
  • Tripp Lite PDUMH15AT
  • Tripp Lite SU750XL
Versions: PDUMH15AT 12.04.0053 and SU750XL 12.04.0052
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Vendor states newer firmware versions fixing this vulnerability were already released before the vulnerability report.

📦 What is this software?

Pdumh15at Firmware by Tripplite

View all CVEs affecting Pdumh15at Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could shut off power to critical infrastructure, cause data center outages, or lock legitimate administrators out of devices by changing passwords.

🟠

Likely Case

Unauthorized power cycling of equipment leading to service disruption, or unauthorized configuration changes to power management devices.

🟢

If Mitigated

If devices are properly segmented and newer firmware is installed, impact is limited to isolated network segments with no internet exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only sending POST requests to /Forms/ endpoints without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Newer firmware versions than those listed

Vendor Advisory: Not provided in references

Restart Required: Yes

Instructions:

1. Download latest firmware from Tripp Lite support site. 2. Backup current configuration. 3. Upload and install new firmware via web interface. 4. Verify installation and restore configuration if needed.

🔧 Temporary Workarounds

Network segmentation

all

Isolate PDU devices on separate VLAN with strict firewall rules

Access control restrictions

all

Implement IP whitelisting for management interfaces

🧯 If You Can't Patch

  • Segment devices on isolated network with no internet access
  • Implement strict firewall rules to block all external access to PDU management interfaces

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or SSH if available. Test if unauthenticated POST requests to /Forms/ endpoints are accepted.

Check Version:

Check via web interface at device IP or use SNMP queries if configured

Verify Fix Applied:

Verify firmware version is newer than affected versions. Test that unauthenticated POST requests to /Forms/ endpoints are rejected.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated POST requests to /Forms/ endpoints
  • Multiple failed authentication attempts followed by successful POST

Network Indicators:

  • POST requests to PDU devices from unauthorized IPs
  • Traffic to /Forms/ paths without authentication headers

SIEM Query:

source_ip=* AND dest_ip=PDU_IP AND http_method=POST AND uri_path="/Forms/*" AND NOT auth_token=*

📊 Metadata

CVE ID: CVE-2019-16261
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-287
Published: September 12, 2019
Last Updated: March 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-16261, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)