Dataprobe’s iBoot-Power Distribution Unit (PDU) Vulnerabilities

By Jonathan Means on October 11, 2022

Executive Summary

On Tuesday, September 20, 2022, Cybersecurity and Infrastructure Security Agency (CISA) released an industrial control system advisory (ICSA-22-263-03) regarding seven serious vulnerabilities found in Dataprobe’s iBoot-power distribution units (PDU). Dataprobe and CISA were notified by Uri Katz of Claroty Research, who discovered these issues. PDUs are devices found within industrial environments, data centers, and elsewhere where power supplies must be in proximity to rack-mounted equipment [3]. The vulnerabilities that Claroty’s research team found were remotely exploitable and could be used to target a cloud-based management console from a compromised field device or take over a company’s cloud and attack primary logic controllers (PLC) and other devices to disrupt operations [4].


On September 20, 2022, Claroty’s research team, Team82, discovered and revealed seven vulnerabilities within Dataprobe’s iBoot- PDU. In 2021, a Censys report revealed the exposure of more than 2,000 PDUs to the internet [3]. Furthermore, 31% (620) of those devices belong to Dataprobe. That report prompted Team82 to examine the security of Dataprobe iBoot-PDUs and determine whether the devices were remotely accessible by bypassing authentication requirements to gain remote code execution capability. As of October 5th, 2022, a Censys search revealed 248 devices are still exposed to the internet, with one located here in Hawaii.  

The iBoot-PDU makes it easy to manage A/C power from any location. In addition, it comes with a cloud platform and a straightforward and easy-to-use web interface that allows for regulating multiple PDUs from a single web page, including controlling each outlet for remote power management [2].


The seven vulnerabilities disclosed in the report were all assigned a common vulnerabilities and exposures (CVE) number, ranging from CVE-2022-3183 to CVE-2022-3189. The top three issues were improper access control, assigned a common vulnerability scoring system (CVSS) v3 base score of 8.6, operating system (OS) command injection, and path traversal, with a CVSS v3 base score of 9.8. 

            The improper access control vulnerability (CVE-2022-3186) also aligns with common weakness enumeration (CWE) -284, which is software that does not restrict or incorrectly restricts access to a resource from an unauthorized actor [6]. When considering CVE-2022-3186, the vulnerability allows attackers unauthorized access to the device’s main management page from the cloud. Also, it enables users to connect to devices remotely. However, the current implementation permits users to access other devices’ information [3][1].

            The second high-impact vulnerability was OS command injection (CVE-2022-3183), which corresponds to CWE-78. OS command injection could allow attackers to execute unexpected, dangerous commands directly on the operating system [4]. As for CVE-2022-3183, a specific function does not sanitize the input provided by the user, which may expose the affected device to OS command injection [3][1].

            Finally, the path traversal (CVE-2022-3184) issue correlates to CWE-22. CWE-22 is an input validation weakness where external input is used to construct a pathname that is intended to identify a file or directory located underneath a restricted parent directory. Still, the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location outside the restricted directory [5]. In the case of CVE-2022-3184, The device’s existing firmware allows unauthenticated users to access an old PHP page vulnerable to directory traversal, which may allow a user to write a file to the webroot directory [3][1].


Today, attackers can exploit these vulnerabilities to achieve arbitrary code execution by bypassing network address translation (NAT) and firewalls. Thus, this enables the attacker to cut the power to all devices controlled by the PDU. Furthermore, an attacker can obtain the credentials required to move laterally within the compromised network. Therefore, CISA recommends that users take defensive measures to minimize the risk of an attacker exploiting these vulnerabilities. Specifically, users should [1]:

  • Minimize network exposure for all control system devices and systems, and ensure they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from business networks.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize VPN is only as secure as its connected devices.

Dataprobe recommends users disable the simple network management protocol (SNMP) if it is not in use. Dataprobe also has released a firmware security update (Version 1.42.06162022) to address the seven vulnerabilities in their iBoot-PDU power distribution unit operating system and owners have been advised to update to the new firmware. 


[1] Cybersecurity and Infrastructure Security Agency. (2022 09 22). ICS Advisory (ICSA-22-263-03). Retrieved on October 4, 2022, from CISA:

[2] Dataprobe. (n.d.). IBOOT-PDU – INTELLIGENT POWER DISTRIBUTION. Retrieved October 4, 2022, from Dataprobe:

[3] Katz, U. (2022 09 22). Jumping NAT to Shut Down Electric Devices. Retrieved October 4, 2022, from Claroty:

[4] Mitre. (n.d.). CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’). Retrieved October 4, 2022, from Mitre:

[5] Mitre. (n.d.). CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’). Retrieved October 4, 2022, from Mitre:

[6] Mitre. (n.d.). CWE-284: Improper Access Control. Retrieved October 4, 2022, from Mitre: