Researchers from Claroty’s Team82 disclosed two critical vulnerabilities in Vertiv Liebert IS-UNITY-DP and Liebert RDU101 network cards used to manage uninterruptible power supply (UPS) systems, warning that exploitation could enable attackers to bypass authentication, execute remote code, and potentially shut down equipment protected by the UPS devices. Since UPS systems are widely used in data centers and critical infrastructure to maintain power continuity and support safe shutdowns during outages, compromise of these communication modules could lead to significant operational disruption. Vertiv has released firmware updates to address both flaws, which were assigned CVSS scores of 9.8.
Both vulnerabilities were disclosed to Vertiv and reproduced on the latest firmware versions of the Liebert IS-UNITY and Liebert RDU101 communication cards. Vertiv has provided updates that address both flaws disclosed by Team82. The vendor recommends that users update Liebert RDU101 devices to version 1.9.1.2_0000001 and update IS-UNITY devices to version 8.4.3.1_00160 to address the identified vulnerabilities.
“Successful exploits of CVE-2025-46412 and CVE-2025-41426 could allow an attacker to not only access vulnerable devices, but also execute arbitrary code that could cause damaging disruptions to organizations reliant on these devices for uptime and service reliability,” Vera Mens wrote in a Tuesday blog post. “CVE-2025-46412 is an authentication bypass vulnerability that allows an attacker to access the devices via a web-based interface. CVE-2025-41426 is a stack-based buffer overflow vulnerability that enables remote code execution on affected devices.”
Mens detailed that Vertiv manufactures several product lines, with the most popular being the Vertiv RDU101 (Linux ARM 32 bit) and Vertiv UNITY-DP (Linux PowerPC). “The main applications within the card are the same we used for the research. Vertiv UNITY-DP was much easier for us to obtain, however PowerPC architecture is a platform that is less convenient for research, so we decided to purchase the UNITY-DP to be able to validate our findings but perform the vulnerability research on RDU101.”
“We invest considerable effort on setup for dynamic research,” Mens identified. “Our interest is to be able to debug the running applications, thus speeding up vulnerability discovery and validation. The network card runs several services, and since the operating system is Linux and the architecture is ARM, getting the services running, with some limitations because of missing peripherals, is relatively straightforward.”
She added, “We chose RaspberryPi as our run environment and the Vertiv card applications will run on its OS and kernel. The firmware is an archive with a device tree, kernel and the root file system. We are looking for vulnerabilities only in user-level programs, so for our research, we are interested only in the content of the root file system.”
When the binaries are executed, the libraries will be loaded relative to the chrooted file system and not the original Raspberry Pi’s.
“The Vertiv RDU101/Unity cards expose numerous services, from management interfaces to monitoring applications,” according to Mens. “From a research perspective, we’re interested in the ones that present the largest attack surface, such as the web interface, which is available by default. The web interface provides the configuration features for the card and the UPS unit, and is usually not opted-out by users. After choosing this attack vector, the next step was understanding how the web server is bootstrapped so we could recreate it in our Raspberry Pi environment.”
The researchers found that recreating Vertiv’s web interface outside its native environment was challenging because the platform relies heavily on PLDServer, a proprietary application handling core device functions and communications between services.
While the Apache-based web server could be partially started, running PLDServer would have required extensive binary patching, leading the team to focus instead on the authentication mechanism. Their analysis centered on the ‘pldproxyweb’ component, examining which endpoints were accessible without authentication, whether unauthenticated resources contained vulnerabilities, how authentication was enforced, and whether weaknesses in the authentication logic could be exploited to bypass access controls.
Team82 identified a URI confusion vulnerability in the web server implementation of Vertiv’s RDU101 and UNITY network management cards. While initial analysis found no obvious weaknesses in password recovery, memory handling, file uploads, or authentication mechanisms, researchers discovered that the application determined request types by searching for specific strings anywhere within a URL rather than validating their location. This approach created the potential for endpoint confusion, allowing the order of application logic to be manipulated through specially crafted URLs.
According to the researchers, the flaw could enable attackers to bypass authentication checks for sensitive functions by embedding specific keywords within request paths. Static binary analysis indicated that the vulnerability affected both product lines and could be exploited to access high-impact operations, including configuration uploads and firmware upgrades, without proper authorization. The team’s findings suggested that seemingly minor flaws in URL parsing logic could have significant security consequences for devices used to manage critical power infrastructure.
To validate the vulnerability on a physical device, the researchers needed to power a Vertiv Liebert IS-UNITY-DP network card outside of its normal UPS environment. Because no board-level documentation or pinout information was publicly available, they performed hardware analysis to identify the power and ground pins on the proprietary edge connector. Using product specifications from a related Vertiv device, they determined the expected operating voltage and power requirements, traced likely power connections on the board, and connected the card to an external DC power supply configured within safe operating limits.
After identifying the correct power connections and supplying power to the card, the device successfully booted and established network connectivity, indicated by activity on the Ethernet interface. The researchers then obtained the device’s IP address and accessed its web interface, allowing them to test their findings against a real-world system rather than relying solely on static analysis and emulation.
In conclusion, Mens wrote that what makes the vulnerabilities “especially concerning is the context: in large data centers, virtually all computing equipment relies on UPS devices to stay online during power issues. Any weakness in those UPS communication modules can directly affect the machines they protect.”
