Security advisory reference: ICSR-2026-02-001 -PDUexperts
Security advisory reference: ICSR-2026-02-001 -v.1.03
This industrial security advisory is delivered as free courtesy information to ICS Range
ApS’ & En Garde Security’s customers and our business partners.
Document Sensitive Level
This information is shared as level: TLP: AMBER based on The Traffic Light Protocol (TLP), with the further intended limits of the sharing information to/only as “Limited disclosure, restricted to participants’ organizations”.
Please keep ICS Range ApS as source/author of the information and document(s).
Should you require to share/redistribute this information to any companies (or individuals) outside your organization (defined as any non-holding or subsidiary companies), please do contact us for permission, before further sharing the document or the information provided. Further information on TLP can be found at https://www.cisa.gov/tlp
Intro
Doing a external commissioned security assessment, our OT security researchers found a new zero-day vulnerability for the Smart PDU KWX-N16A8C3-H3FC20 from vendor PDUexperts.
The vulnerability is in the unauthenticated RCE (remote code execution) category.
https://www.pduexperts.com/wp-content/uploads/dlm_uploads/2015/09/KWX-N16A8C3-H3C20.pdf
The device was running firmware BEX 2.6.1 at the moment of testing, but other models and firmware versions could likely be affected as well.
Information on the vulnerability was provided to the vendor as responsible disclosure, with POC script.
An official advisory and CVE numbers would likely be published if/when the firmware is made public available.
What is a PDU?
A Power Distribution Unit (PDU) is a device with multiple outlets designed to distribute electric power to servers, networking equipment, and other devices, typically within a data center rack.
Why this advisory?
The found vulnerability could potentially affect production severely -and many different industries are using PDU’s, including but not limited to following sectors:
Communications, Commercial Datacenters, Defense Industrial, Energy, Food and Brewage, Healthcare,Transportation, Water
Due to the nature of the vulnerability, ICS Range ApS have decided to deliver this advisory as “Early Warning”, to alert customers and our business partners in advance,to prepare if/when the updated firmware would be made public.
The vulnerability
The current PDU firmware is vulnerable to an unauthenticated arbitrary file write over the HTTP server. This vulnerability allows any unauthenticated user to gain root access to the PDU.
The vulnerability lies in the Certificate import functionality, where the user input is passed directly into a system call. The firmware version was identified to be BEX 2.6.1, we have not been able to confirm if there are any newer versions available for the PDU.
The vulnerability has been rated a 9.8 using CVSSv3.1 with the following vector.
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remediation
1. Configure an SSH enabled user with hardened credentials while disabling insecure webserver and telnet services.
2. Update the firmware version of the PDU when/if newer versions are available.3. -or - Disable webserver access to the PDU, enabling only telnet connections.
Keep in mind that this is the lesser evil, as telnet will still transmit passwords in plaintext.
Timeline:
October/November The information found, upon agreement with our external client,
2025 was shared as responsible disclosure to vendor via email. First email send to vendor, with technical information and with
offers to provide (Proof of Concept) POC scripts etc. for free, to ensure better/ quicker options to fix the vulnerability.
6. Jan, A follow-up email was sent to vendor on support & info emails.
A 14-day deadline was given to confirm email was received, (20/1 was given as date)
A 60-day deadline was given to the vendor to advise how/what steps would be taken to mitigate the vulnerability.
Jan 2025 Several peers in the industry were contacted, to hear if they have some personal connections into the company – with no luck.
11.Feb 2 weeks overdue to the above given deadline with no reply from vendor.
Writing advisory (ISCR-2026-02-001) to be shared with ICSRange clients and business partners.
Copy send to vendor for full information/ transparency.
The vendor has now replied and is currently investigating the issue.
17. Feb. Public release date of ISCR-2026-02-001, send to peers, clients and other friends of ICSRange.
23. Feb Public release date of ISCR-2026-02-001, added to website, downgrading TLP to White, with the request to keep ICSRange as author, finder, reporter, and provide us full credit us for the finding.
Questions
if further questions arise (or permission to redistribute further) please contact ICS Range ApS on support@icsrange.com. Please note that we do not/cannot share videos and/or any further technical information, including the POC scripts at the moment.