CVE-2025-46412 is a critical authentication bypass vulnerability affecting the Vertiv Liebert RDU101, a device commonly used in data center infrastructure for remote monitoring and control of power distribution units (PDUs). The vulnerability stems from improper protection of webserver functions, allowing an attacker to bypass authentication mechanisms entirely. This is classified under CWE-288, which involves authentication bypass using an alternate path or channel. The vulnerability has a CVSS 4.0 base score of 9.3, indicating a critical severity level. The vector metrics specify that the attack can be performed remotely (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is high (VC:H, VI:H, VA:H), meaning an attacker could fully compromise the device's functions, potentially gaining unauthorized access to control and monitoring features without any authentication. The scope is unchanged (S:U), and no security requirements are waived (SI:N, SA:N). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved and published in May 2025, highlighting its recent discovery. Given the critical nature of the device in managing power infrastructure, exploitation could lead to significant operational disruptions or unauthorized control over power distribution systems.

For European organizations, especially those operating data centers, critical infrastructure, or facilities relying on Vertiv Liebert RDU101 devices, this vulnerability poses a severe risk. An attacker exploiting this flaw could gain unauthorized access to power distribution controls, potentially causing power outages, equipment damage, or disruption of essential services. This could impact sectors such as telecommunications, finance, healthcare, and government services, where uptime and power reliability are paramount. The ability to bypass authentication remotely without any user interaction or privileges makes it highly exploitable, increasing the risk of targeted attacks or automated exploitation attempts. Given the interconnected nature of European critical infrastructure and strict regulatory requirements (e.g., NIS Directive), such a compromise could lead to regulatory penalties, reputational damage, and operational losses.

Immediate mitigation steps include isolating the affected Liebert RDU101 devices from untrusted networks to limit remote access. Network segmentation should be enforced to restrict access to management interfaces only to authorized personnel and systems. Monitoring network traffic for unusual access patterns or attempts to reach the device's webserver functions can help detect exploitation attempts early. Since no patches are currently available, organizations should engage with Vertiv for updates and advisories. Implementing multi-factor authentication (MFA) on management interfaces where possible, and using VPNs or secure tunnels for remote access, can add layers of defense. Additionally, organizations should prepare incident response plans specific to power infrastructure compromise and conduct regular audits of device configurations and access logs. Finally, consider deploying compensating controls such as Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) to detect and block exploitation attempts targeting this vulnerability.