CVE-2025-71318
published 2026-06-05CVE-2025-71318: NetMan 204 fails to enforce authentication on its administrative pages and command endpoints. A remote, unauthenticated attacker can directly request…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.53%
40.9th percentile
NetMan 204 fails to enforce authentication on its administrative pages and command endpoints. A remote, unauthenticated attacker can directly request administrative pages (such as administration.html, administration-commands.html, and configuration.html) to disclose sensitive information including LDAP configuration and active user details, and can invoke privileged UPS control commands — including shutdown, reboot, switch-on-bypass, and battery test — without supplying any credentials.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| riello_ups | netman_204 | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Riello UPS NetMan 204 LDAP Configuration administration.html missing authentication (Exploit 52183)
vuldb·2026-06-05·CVSS 9.3
CVE-2025-71318 [CRITICAL] Riello UPS NetMan 204 LDAP Configuration administration.html missing authentication (Exploit 52183)
A vulnerability marked as critical has been reported in Riello UPS NetMan 204. This affects an unknown part of the file administration.html of the component LDAP Configuration Handler. This manipulation causes missing authentication.
This vulnerability appears as CVE-2025-71318. The attack may be initiated remotely. In addition, an exploit is available.
GHSA
NetMan 204 fails to enforce authentication on its administrative pages and command endpoints.
ghsa_unreviewed·2026-06-05
CVE-2025-71318 [CRITICAL] CWE-306 NetMan 204 fails to enforce authentication on its administrative pages and command endpoints.
NetMan 204 fails to enforce authentication on its administrative pages and command endpoints. A remote, unauthenticated attacker can directly request administrative pages (such as administration.html, administration-commands.html, and configuration.html) to disclose sensitive information including LDAP configuration and active user details, and can invoke privileged UPS control commands — including shutdown, reboot, switch-on-bypass, and battery test — without supplying any credentials.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-05
Published