Full Report
Researchers from Claroty’s Team82 disclosed two critical vulnerabilities in Vertiv Liebert IS-UNITY-DP and Liebert RDU101 network cards used... The post Claroty finds authentication bypass, RCE flaws in Vertiv UPS management cards that could disrupt data center operations appeared first on Industrial Cyber.
Analysis Summary
# Vulnerability: Authentication Bypass and RCE in Vertiv UPS Management Cards
## CVE Details
- **CVE ID:** CVE-2025-46412 (Auth Bypass) and CVE-2025-41426 (RCE)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication) and CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** Vertiv Liebert IS-UNITY-DP and Liebert RDU101 network cards.
- **Versions:** All versions prior to the remediated firmware updates.
- **Configurations:** Systems running the default web-based management interface.
## Vulnerability Description
Researchers identified two critical flaws in the communication modules used to manage Uninterruptible Power Supply (UPS) systems:
1. **CVE-2025-46412:** An authentication bypass vulnerability within the web-based interface. This allows an attacker to gain unauthorized access to the device management console without valid credentials.
2. **CVE-2025-41426:** A stack-based buffer overflow vulnerability. By sending crafted inputs to the device, an attacker can trigger memory corruption to execute arbitrary code with elevated privileges.
The research highlighted that while the cards use different architectures (ARM for RDU101 and PowerPC for UNITY-DP), they share the same core applications, making both lines susceptible.
## Exploitation
- **Status:** Officially disclosed by Claroty Team82; reproduced on latest (at the time) firmware. No mention of wide-scale exploitation in the wild at the time of the report.
- **Complexity:** Medium (requires understanding of proprietary `PLDServer` application and binary exploitation).
- **Attack Vector:** Network (accessible via the web management interface).
## Impact
- **Confidentiality:** High (Access to device configuration and sensitive network data).
- **Integrity:** High (Unauthorized modification of power management settings).
- **Availability:** High (Potential to force equipment shutdowns, disrupting data center operations).
## Remediation
### Patches
Vertiv has released the following firmware updates to address these vulnerabilities:
- **Liebert RDU101:** Update to version **1.9.1.2_0000001**
- **IS-UNITY Devices:** Update to version **8.4.3.1_00160**
### Workarounds
- **Network Segmentation:** Isolate UPS management cards on a dedicated management VLAN with no exposure to the public internet.
- **Access Control:** Restrict access to the web interface using firewall rules or Access Control Lists (ACLs) to known, trusted IP addresses only.
- **Disable Unused Services:** Disable any management protocols (HTTP, SNMP, etc.) that are not required for operation.
## Detection
- **Indicators of Compromise:** Monitor for unusual administrative logins from unexpected IP addresses or repeated crashes of the `PLDServer` process.
- **Detection Methods and Tools:** Utilize industrial-aware IDS/IPS signatures to detect stack-overflow patterns in traffic directed at UPS management ports.
## References
- **Claroty Team82 Research:** hxxps[://]claroty[.]com/team82/research/attacking-ups-network-cards-to-take-down-data-centers
- **CVE-2025-46412:** hxxps[://]claroty[.]com/team82/disclosure-dashboard/cve-2025-46412
- **CVE-2025-41426:** hxxps[://]claroty[.]com/team82/disclosure-dashboard/cve-2025-41426
- **Industrial Cyber News:** hxxps[://]industrialcyber[.]co/threats-attacks/claroty-finds-authentication-bypass-rce-flaws-in-vertiv-ups-management-cards-that-could-disrupt-data-center-operations/