CVE-2019-16261 — CRITICAL (9.1)

Vulnerability Description

Tripp Lite PDUMH15AT 12.04.0053 and SU750XL 12.04.0052 devices allow unauthenticated POST requests to the /Forms/ directory, as demonstrated by changing the manager or admin password, or shutting off power to an outlet. NOTE: the vendor's position is that a newer firmware version, fixing this vulnerability, had already been released before this vulnerability report about 12.04.0053.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Tripplite	Pdumh15At Firmware	12.04.0053
Tripplite	Pdumh15At	-

Related Weaknesses (CWE)

CWE-287

References

https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bitsExploitThird Party Advisory
https://gist.github.com/Shlucus/ab762d6b148f2d2d046c956526a80ddc
http://seclists.org/fulldisclosure/2025/Mar/1
https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bitsExploitThird Party Advisory

FAQ

What is CVE-2019-16261?

CVE-2019-16261 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Tripp Lite PDUMH15AT 12.04.0053 and SU750XL 12.04.0052 devices allow unauthenticated POST requests to the /Forms/ directory, as demonstrated by changing the manager or admin password, or shutting off ...

How severe is CVE-2019-16261?

CVE-2019-16261 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-16261?

Check the references section above for vendor advisories and patch information. Affected products include: Tripplite Pdumh15At Firmware, Tripplite Pdumh15At.