CVE-2025-66238

Sunbird DCIM dcTrack and Power IQ Authentication Bypass Using an Alternate Path or Channel

CVSS 7.4 HIGHEPSS 0.3%CWE-288

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.4EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

04 Dec 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance's virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine.

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products

Sunbird · DCIM dcTrack Sunbird · IQ

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05