Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerabilities Impact Multiple Rittal Products Due to Use of Same Firmware

Researchers have discovered several potentially serious vulnerabilities affecting monitoring, cooling and power distribution products made by Germany-based Rittal.

Researchers have discovered several potentially serious vulnerabilities affecting monitoring, cooling and power distribution products made by Germany-based Rittal.

According to Austria-based cybersecurity company SEC Consult, Rittal’s CMC III industrial and IT monitoring system, LCP CW cooling system, and the entire portfolio of power distribution units (PDU) are impacted by six types of vulnerabilities. The affected products all use the same base firmware.

The vendor was informed about the vulnerabilities in late January and it has released patches for impacted products, except for PDUs. It’s unclear if these devices will ever receive fixes since the vendor is preparing to release a new product, SEC Consult said.

SecurityWeek has reached out to Rittal for clarifications, but the company has yet to respond.

The vulnerabilities, which have been described by SEC Consult as critical, can be exploited to bypass restrictions, obtain elevated privileges, and execute arbitrary commands.

One vulnerability is related to the command-line interface (CLI) menu where users can configure a device when connecting to it via SSH. An attacker can escape the menu and access the entire filesystem with the account used for SSH login, which can be useful for conducting further attacks.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

SEC Consult researchers also found that important operating system files such as /etc/shadow and /etc/passwd can be read and modified by any authenticated user. For instance, an attacker with low-privileged access to the device can modify the shadow file to elevate privileges to root.

The researchers also noticed that the devices use the same password for the root account. This was determined based on the password hash contained in the shadow file, but the hash has yet to be cracked, which is why the vendor says it cannot be exploited.

Rittal products are also affected by a command injection vulnerability in the web interface, specifically the NTP server IP address settings. An attacker who has admin privileges can exploit this to execute commands with root permissions.

Another issue is that the web server runs with root privileges, which means that this type of command injection vulnerability would allow an attacker to escalate privileges to root on the whole device.

The Rittal products have also been found to use outdated versions of third-party software, including OpenSSL and the Linux kernel, which can contain serious vulnerabilities.

SEC Consult has only released proof-of-concept (PoC) code for the command injection vulnerability since this is the only issue that has been patched in all of the impacted products.

The cybersecurity firm told SecurityWeek that the impacted devices are typically not accessible from the internet, but Shodan has found a few internet-exposed devices, which could have been made accessible on purpose or due to misconfigurations.

An attacker who has access to the targeted device can exploit the command injection vulnerability to gain root privileges. While exploitation requires access to the product’s admin panel, an attacker could try to obtain this access using default credentials. These default credentials, such as admin-admin and pdu-pdu, are mentioned in product documentation and SEC Consult found during its tests that the default values were in most cases not changed.

An attacker could also attempt to log in via SSH using the default admin username and brute-force the root password. They could then use the su (substitute user) command to elevate privileges, SEC Consult explained.

Related: Critical Vulnerabilities Found in Rittal Cooling System

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...