CVE-2019-16261

critical

Description

Tripp Lite PDUMH15AT 12.04.0053 and SU750XL 12.04.0052 devices allow unauthenticated POST requests to the /Forms/ directory, as demonstrated by changing the manager or admin password, or shutting off power to an outlet. NOTE: the vendor's position is that a newer firmware version, fixing this vulnerability, had already been released before this vulnerability report about 12.04.0053.

References

https://gist.github.com/Shlucus/ab762d6b148f2d2d046c956526a80ddc

https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits

http://seclists.org/fulldisclosure/2025/Mar/1

Details

Source: Mitre, NVD

Published: 2019-09-12

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C

Severity: High

CVSS v3

Base Score: 9.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00671