Search
Find a vulnerability
Search criteria
4 vulnerabilities found for DCIM dcTrack by Sunbird
CVE-2025-66238 (GCVE-0-2025-66238)
Vulnerability from nvd – Published: 2025-12-04 21:10 – Updated: 2025-12-05 17:01
VLAI
Title
Sunbird DCIM dcTrack and Power IQ Authentication Bypass Using an Alternate Path or Channel
Summary
DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance's virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Sunbird | DCIM dcTrack |
Affected:
0 , ≤ v9.2.0
(custom)
Unaffected: 9.2.3 |
|
| Sunbird | IQ |
Affected:
0 , ≤ v9.2.0
(custom)
Unaffected: 9.2.1 |
Date Public
2025-12-04 17:01
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T17:01:04.433609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T17:01:14.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DCIM dcTrack",
"vendor": "Sunbird",
"versions": [
{
"lessThanOrEqual": "v9.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "9.2.3"
}
]
},
{
"defaultStatus": "unaffected",
"product": "IQ",
"vendor": "Sunbird",
"versions": [
{
"lessThanOrEqual": "v9.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "9.2.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "notnotnotveg (notnotnotveg@gmail.com) reported these vulnerabilities to CISA."
}
],
"datePublic": "2025-12-04T17:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance\u0027s virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance\u0027s virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T21:10:11.206Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSunbird recommends that users take the following actions:\u003c/p\u003e\u003cul\u003e\u003cli\u003edcTrack: Update to 9.2.3\u003c/li\u003e\u003cli\u003ePower: Update to IQ 9.2.1\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "Sunbird recommends that users take the following actions:\n\n * dcTrack: Update to 9.2.3\n * Power: Update to IQ 9.2.1"
}
],
"source": {
"advisory": "ICSA-25-338-05",
"discovery": "EXTERNAL"
},
"title": "Sunbird DCIM dcTrack and Power IQ Authentication Bypass Using an Alternate Path or Channel",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIf updating immediately is not possible, Sunbird additionally recommends that customers:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eRestrict SSH or any non-essential port access in the IP Based Access Control.\u003c/li\u003e\n\u003cli\u003ePasswords for SSH based user accounts be changed at the time of deployment.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "If updating immediately is not possible, Sunbird additionally recommends that customers:\n\n\n\n * Restrict SSH or any non-essential port access in the IP Based Access Control.\n\n * Passwords for SSH based user accounts be changed at the time of deployment."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-66238",
"datePublished": "2025-12-04T21:10:11.206Z",
"dateReserved": "2025-11-25T17:32:15.110Z",
"dateUpdated": "2025-12-05T17:01:14.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66237 (GCVE-0-2025-66237)
Vulnerability from nvd – Published: 2025-12-04 21:02 – Updated: 2026-06-04 20:05
VLAI
Title
Sunbird DCIM dcTrack and Power IQ Use of Hard-coded Credentials
Summary
DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Sunbird | DCIM dcTrack |
Affected:
0 , ≤ v9.2.0
(custom)
Unaffected: 9.2.3 |
|
| Sunbird | Power IQ |
Affected:
0 , ≤ v9.2.0
(custom)
Unaffected: 9.2.1 |
Date Public
2025-12-04 17:01
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T17:01:49.625209Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T17:02:00.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DCIM dcTrack",
"vendor": "Sunbird",
"versions": [
{
"lessThanOrEqual": "v9.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "9.2.3"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Power IQ",
"vendor": "Sunbird",
"versions": [
{
"lessThanOrEqual": "v9.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "9.2.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "notnotnotveg (notnotnotveg@gmail.com) reported these vulnerabilities to CISA."
}
],
"datePublic": "2025-12-04T17:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003e\n\n\u003cspan\u003e\n\n\u003cspan\u003e\n\n\u003cspan\u003eDCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T20:05:57.617Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSunbird recommends that users take the following actions:\u003c/p\u003e\u003cul\u003e\u003cli\u003edcTrack: Update to 9.2.3\u003c/li\u003e\u003cli\u003ePower: Update to IQ 9.2.1\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "Sunbird recommends that users take the following actions:\n\n * dcTrack: Update to 9.2.3\n * Power: Update to IQ 9.2.1"
}
],
"source": {
"advisory": "ICSA-25-338-05",
"discovery": "EXTERNAL"
},
"title": "Sunbird DCIM dcTrack and Power IQ Use of Hard-coded Credentials",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIf updating immediately is not possible, Sunbird additionally recommends that customers:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRestrict SSH or any non-essential port access in the IP Based Access Control.\u003c/li\u003e\u003cli\u003ePasswords for SSH based user accounts be changed at the time of deployment.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "If updating immediately is not possible, Sunbird additionally recommends that customers:\n\n * Restrict SSH or any non-essential port access in the IP Based Access Control.\n * Passwords for SSH based user accounts be changed at the time of deployment."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-66237",
"datePublished": "2025-12-04T21:02:59.614Z",
"dateReserved": "2025-11-25T17:32:15.110Z",
"dateUpdated": "2026-06-04T20:05:57.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66238 (GCVE-0-2025-66238)
Vulnerability from cvelistv5 – Published: 2025-12-04 21:10 – Updated: 2025-12-05 17:01
VLAI
Title
Sunbird DCIM dcTrack and Power IQ Authentication Bypass Using an Alternate Path or Channel
Summary
DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance's virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Sunbird | DCIM dcTrack |
Affected:
0 , ≤ v9.2.0
(custom)
Unaffected: 9.2.3 |
|
| Sunbird | IQ |
Affected:
0 , ≤ v9.2.0
(custom)
Unaffected: 9.2.1 |
Date Public
2025-12-04 17:01
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T17:01:04.433609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T17:01:14.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DCIM dcTrack",
"vendor": "Sunbird",
"versions": [
{
"lessThanOrEqual": "v9.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "9.2.3"
}
]
},
{
"defaultStatus": "unaffected",
"product": "IQ",
"vendor": "Sunbird",
"versions": [
{
"lessThanOrEqual": "v9.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "9.2.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "notnotnotveg (notnotnotveg@gmail.com) reported these vulnerabilities to CISA."
}
],
"datePublic": "2025-12-04T17:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance\u0027s virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance\u0027s virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T21:10:11.206Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSunbird recommends that users take the following actions:\u003c/p\u003e\u003cul\u003e\u003cli\u003edcTrack: Update to 9.2.3\u003c/li\u003e\u003cli\u003ePower: Update to IQ 9.2.1\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "Sunbird recommends that users take the following actions:\n\n * dcTrack: Update to 9.2.3\n * Power: Update to IQ 9.2.1"
}
],
"source": {
"advisory": "ICSA-25-338-05",
"discovery": "EXTERNAL"
},
"title": "Sunbird DCIM dcTrack and Power IQ Authentication Bypass Using an Alternate Path or Channel",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIf updating immediately is not possible, Sunbird additionally recommends that customers:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eRestrict SSH or any non-essential port access in the IP Based Access Control.\u003c/li\u003e\n\u003cli\u003ePasswords for SSH based user accounts be changed at the time of deployment.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "If updating immediately is not possible, Sunbird additionally recommends that customers:\n\n\n\n * Restrict SSH or any non-essential port access in the IP Based Access Control.\n\n * Passwords for SSH based user accounts be changed at the time of deployment."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-66238",
"datePublished": "2025-12-04T21:10:11.206Z",
"dateReserved": "2025-11-25T17:32:15.110Z",
"dateUpdated": "2025-12-05T17:01:14.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66237 (GCVE-0-2025-66237)
Vulnerability from cvelistv5 – Published: 2025-12-04 21:02 – Updated: 2026-06-04 20:05
VLAI
Title
Sunbird DCIM dcTrack and Power IQ Use of Hard-coded Credentials
Summary
DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Sunbird | DCIM dcTrack |
Affected:
0 , ≤ v9.2.0
(custom)
Unaffected: 9.2.3 |
|
| Sunbird | Power IQ |
Affected:
0 , ≤ v9.2.0
(custom)
Unaffected: 9.2.1 |
Date Public
2025-12-04 17:01
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T17:01:49.625209Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T17:02:00.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DCIM dcTrack",
"vendor": "Sunbird",
"versions": [
{
"lessThanOrEqual": "v9.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "9.2.3"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Power IQ",
"vendor": "Sunbird",
"versions": [
{
"lessThanOrEqual": "v9.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "9.2.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "notnotnotveg (notnotnotveg@gmail.com) reported these vulnerabilities to CISA."
}
],
"datePublic": "2025-12-04T17:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003e\n\n\u003cspan\u003e\n\n\u003cspan\u003e\n\n\u003cspan\u003eDCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T20:05:57.617Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSunbird recommends that users take the following actions:\u003c/p\u003e\u003cul\u003e\u003cli\u003edcTrack: Update to 9.2.3\u003c/li\u003e\u003cli\u003ePower: Update to IQ 9.2.1\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "Sunbird recommends that users take the following actions:\n\n * dcTrack: Update to 9.2.3\n * Power: Update to IQ 9.2.1"
}
],
"source": {
"advisory": "ICSA-25-338-05",
"discovery": "EXTERNAL"
},
"title": "Sunbird DCIM dcTrack and Power IQ Use of Hard-coded Credentials",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIf updating immediately is not possible, Sunbird additionally recommends that customers:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRestrict SSH or any non-essential port access in the IP Based Access Control.\u003c/li\u003e\u003cli\u003ePasswords for SSH based user accounts be changed at the time of deployment.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "If updating immediately is not possible, Sunbird additionally recommends that customers:\n\n * Restrict SSH or any non-essential port access in the IP Based Access Control.\n * Passwords for SSH based user accounts be changed at the time of deployment."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-66237",
"datePublished": "2025-12-04T21:02:59.614Z",
"dateReserved": "2025-11-25T17:32:15.110Z",
"dateUpdated": "2026-06-04T20:05:57.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}