CVE-2020-11951
📋 TL;DR
Rittal PDU-3C002DEC and CMCIII-PU-9333E0FB devices contain a hardcoded backdoor root account, allowing attackers to gain full administrative control. This affects devices running firmware up to version 5.17.10 for PDU-3C002DEC and up to 3.17.10 for CMCIII-PU-9333E0FB. Organizations using these power distribution units and monitoring systems are vulnerable.
💻 Affected Systems
- Rittal PDU-3C002DEC
- Rittal CMCIII-PU-9333E0FB
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of affected devices, allowing attackers to disrupt power distribution, manipulate monitoring data, pivot to other network systems, or cause physical damage through power manipulation.
Likely Case
Attackers gain persistent administrative access to devices, enabling data theft, network reconnaissance, and potential lateral movement to connected systems.
If Mitigated
Limited impact if devices are isolated in secure network segments with strict access controls and monitoring, though backdoor access remains possible.
🎯 Exploit Status
The backdoor account credentials are publicly documented, making exploitation trivial for anyone with network access to the devices.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PDU-3C002DEC: >5.17.10, CMCIII-PU-9333E0FB: >3.17.10
Vendor Advisory: https://www.rittal.com/com-en/content/en/cybersecurity/
Restart Required: Yes
Instructions:
1. Check current firmware version. 2. Download latest firmware from Rittal support portal. 3. Apply firmware update following vendor instructions. 4. Verify backdoor account is removed or disabled. 5. Change all administrative credentials.
🔧 Temporary Workarounds
Network segmentation and access control
allIsolate affected devices in separate VLANs with strict firewall rules to limit access to authorized management systems only.
Disable remote management interfaces
allIf possible, disable SSH, Telnet, and web management interfaces that are not essential for operation.
🧯 If You Can't Patch
- Immediately isolate affected devices in a dedicated network segment with strict access controls
- Implement network monitoring and intrusion detection specifically for traffic to/from these devices
🔍 How to Verify
Check if Vulnerable:
Attempt to authenticate to the device using the documented backdoor credentials via SSH or web interface.Check Version:
Check device web interface or use SNMP query to determine firmware versionVerify Fix Applied:
Verify firmware version is above affected versions and attempt authentication with backdoor credentials should fail.📡 Detection & Monitoring
Log Indicators:
- Successful authentication using backdoor account name
- Multiple failed login attempts followed by successful login from unusual IP
Network Indicators:
- SSH/Telnet connections to device from unauthorized IPs
- Unusual network traffic patterns from device
SIEM Query:
source="rittal-device" AND (event_type="authentication_success" AND user="backdoor_account_name")