cbcvebase.
CVE-2024-8877
published 2024-09-25

CVE-2024-8877: Improper neutralization of special elements results in a SQL Injection vulnerability in Riello Netman 204. It is only limited to the SQLite database of…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
77.31%
99.5th percentile
Improper neutralization of special elements results in a SQL Injection vulnerability in Riello Netman 204. It is only limited to the SQLite database of measurement data.This issue affects Netman 204: through 4.05.

Affected

2 ranges
VendorProductVersion rangeFixed in
riello-upsnetman_204_firmware<= 4.05
riellonetman_204<= 4.05

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/db_datalog_w.cgi
path/cgi-bin/db_eventlog_w.cgi
path/cgi-bin/db_multimetr_w.cgi
url{{BaseURL}}/cgi-bin/db_eventlog_w.cgi?date_start=0&date_end=1715630160&gravity=%25&type=%25%27and/**/%271%27=%271
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Riello Netman 204 UPS SQL Injection Attempt (CVE-2024-8877)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/db_"; fast_pattern; startswith; pcre:"/^(?:eventlog|datalog|multimetr)/R"; content:"_w.cgi|3f|"; distance:0; content:"type|3d|"; distance:0; pcre:"/^[^\x26]*?(?:\x27|%27)/R"; reference:url,cyberdanube.com/security-research/multiple-vulnerabilities-in-riello-netman-204/; reference:cve,2024-8877; classtype:attempted-admin; sid:2058117; rev:1; metadata:affected_product Riello_UPS, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_12_06, cve CVE_2024_8877, deployment Perimeter, deployment Internal, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_12_06; target:dest_ip;)
  • HTTP response body for successful SQLi exploitation contains the strings 'START APPLICATION', 'category":', and 'codeStr":' with HTTP 200 status code.
  • Shodan, FOFA, Censys, and Google dork queries can identify exposed Riello Netman 204 devices as attack targets: title:"netman 204", body:"netman204", intitle:"netman 204".
  • The SQLi payload uses comment-based bypass (/**/) and single-quote injection in the 'type' parameter: type=%25%27and/**/%271%27=%271 — look for URL-encoded single quotes (%27) in requests to the vulnerable CGI endpoints.
  • The Snort/ET rule triggers on GET requests where the URI starts with /cgi-bin/db_ followed by eventlog, datalog, or multimetr, then _w.cgi, and contains a single quote (literal or %27) in the type parameter value.
  • Exploitation requires no authentication (unauthenticated SQLi), so any source IP hitting these endpoints with SQLi patterns should be treated as malicious.
  • ·The SQL injection only affects the SQLite database of measurement data — it does not impact the main device configuration database.
  • ·The ET Snort rule (sid:2058117) is scoped to plaintext traffic only (tls_state plaintext); encrypted HTTPS traffic to the device would not be detected by this rule.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.