Login Sign Up

CVE-2022-47893

10.0 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2022-47893 is a critical remote code execution vulnerability in NetMan 204 devices that allows attackers to upload malicious firmware containing a webshell. This enables complete system compromise with root privileges. All versions of NetMan 204 are affected.

💻 Affected Systems

Products:
  • Riello NetMan 204
Versions: All versions
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments are vulnerable regardless of configuration. Device manages uninterruptible power supplies (UPS).

📦 What is this software?

Netman 204 Firmware by Riello Ups

View all CVEs affecting Netman 204 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root access, allowing data theft, lateral movement, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Attacker gains full control of the NetMan 204 device, potentially compromising connected UPS systems and network infrastructure.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to isolated network segment containing vulnerable device.

🌐 Internet-Facing: HIGH - Directly exploitable from internet if device exposed, leading to immediate compromise.
🏢 Internal Only: HIGH - Even internally, vulnerable devices can be exploited by attackers who gain network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit involves uploading specially crafted firmware file. Public exploit code and technical details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact vendor for latest firmware

Vendor Advisory: https://www.incibe.es/incibe-cert/alerta-temprana/avisos-sci/multiples-vulnerabilidades-netman-204-riello-ups

Restart Required: Yes

Instructions:

1. Contact Riello UPS vendor for latest firmware. 2. Backup current configuration. 3. Apply firmware update via web interface. 4. Verify update successful and device functioning.

🔧 Temporary Workarounds

Network Isolation

all

Isolate NetMan 204 devices from internet and restrict network access

Access Control Lists

all

Implement strict firewall rules to limit access to NetMan 204 management interface

🧯 If You Can't Patch

  • Immediately isolate device from all networks except required UPS connections
  • Implement strict network monitoring for suspicious firmware upload attempts

🔍 How to Verify

Check if Vulnerable:

Check device model and firmware version via web interface. All NetMan 204 devices are vulnerable.

Check Version:

Access web interface and check System Information or Firmware Version page

Verify Fix Applied:

Verify firmware version after update and test that malicious firmware uploads are blocked

📡 Detection & Monitoring

Log Indicators:

  • Firmware upload events
  • Unauthorized file upload attempts
  • Webshell access patterns

Network Indicators:

  • HTTP POST requests to firmware upload endpoints
  • Suspicious outbound connections from device

SIEM Query:

source="netman204" AND (event="firmware_upload" OR url_path="/upload")

📊 Metadata

CVE ID: CVE-2022-47893
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-434
Published: October 3, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-47893, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)