CVE-2025-68914
📋 TL;DR
This vulnerability allows SQL injection through the username parameter in the login.cgi endpoint of Riello UPS NetMan 208 Application. Attackers can execute arbitrary SQL commands, potentially deleting critical database tables like LOGINFAILEDTABLE. Organizations using affected versions of this UPS management software are at risk.
💻 Affected Systems
- Riello UPS NetMan 208 Application
📦 What is this software?
Netman 208 by Riello Ups
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data destruction, authentication bypass, or remote code execution on the underlying system.
Likely Case
Database manipulation including deletion of authentication logs, extraction of credentials, or disruption of UPS monitoring functionality.
If Mitigated
Limited impact if proper input validation and database permissions are enforced, though SQL injection attempts would still be logged.
🎯 Exploit Status
SQL injection in login endpoint typically requires minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.12 or later
Vendor Advisory: https://github.com/gerico-lab/riello-multiple-vulnerabilities-2025
Restart Required: Yes
Instructions:
1. Download version 1.12 or later from Riello official sources. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart the NetMan 208 service.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict access to the NetMan 208 web interface to trusted networks only.
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Web Application Firewall
allDeploy WAF rules to block SQL injection patterns targeting login.cgi.
# Configure WAF to block SQL injection patterns in login parameters
🧯 If You Can't Patch
- Implement strict network access controls to isolate the NetMan 208 system from untrusted networks.
- Deploy a web application firewall with SQL injection detection rules in front of the application.
🔍 How to Verify
Check if Vulnerable:
Check if version is below 1.12 via web interface or configuration files. Test login endpoint with SQL injection payloads in username parameter.Check Version:
Check web interface footer or configuration files for version information. No universal CLI command available.Verify Fix Applied:
Verify version is 1.12 or higher. Test login endpoint with SQL injection payloads to confirm they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple failed login attempts with SQL-like patterns in username field
- Database error messages containing SQL syntax
Network Indicators:
- HTTP POST requests to /cgi-bin/login.cgi with SQL keywords in parameters
- Unusual database connection patterns from web server
SIEM Query:
source="netman_logs" AND (message="*SQL*" OR message="*syntax*" OR username="*' OR *")