Critical CVSS 9.8 Flaw in Vertiv Hardware Puts Servers at Severe Risk
A critical vulnerability identified in Vertiv Geist Uninterruptible Power Supply (UPS) devices allows unauthorized remote attackers to gain full control over affected hardware. Assigned a CVSS score of 9.8, the security flaw permits remote code execution without requiring user authentication, according to the Cybersecurity and Infrastructure Security Agency (CISA).
Affected Hardware and Technical Impact
The vulnerability, tracked as CVE-2024-7026, impacts specific firmware versions of the Vertiv Geist switchable and outlet-metered rack power distribution units (PDUs). Because the flaw exists within the device’s web interface, it allows an unauthenticated actor to execute arbitrary commands with administrative privileges.
According to security disclosures, the vulnerability stems from improper input validation. By sending specially crafted network packets to the device, an attacker can bypass existing security controls. Because these units are typically deployed to manage power for high-density server environments, a successful exploit provides an attacker with the ability to cycle power, shut down servers, or manipulate environmental sensors connected to the PDU.
Risk Mitigation and Firmware Updates
Vertiv has released firmware updates to address the flaw. System administrators are advised to verify their current firmware version against the list of vulnerable releases provided by the manufacturer.
CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, formalizing the requirement for federal agencies to remediate the issue within a mandated timeframe. For organizations outside of the federal government, the agency recommends immediate patching as the primary defense against potential exploitation. If patching is not immediately feasible, security guidelines suggest isolating the management interfaces of power distribution units behind a dedicated, firewalled management network to prevent direct exposure to the public internet.
Comparison with Prior Infrastructure Vulnerabilities
The severity of this flaw aligns with recent trends in industrial control system (ICS) security, where management interfaces for power and cooling hardware have become primary targets for network-based attacks. While previous vulnerabilities in data center infrastructure often required local access or complex chain exploits, CVE-2024-7026 is notable for its high exploitability score and lack of required authentication.
Unlike standard server software vulnerabilities, which often impact data confidentiality, this hardware flaw poses a direct risk to physical availability. By manipulating the power state of the PDU, an attacker can initiate a forced system outage, effectively bypassing standard software-based disaster recovery protocols. Vertiv continues to monitor for reports of active exploitation in enterprise environments.