CVE-2025-66237 Sunbird CVE debrief

Who should care

Organizations operating Sunbird DCIM dcTrack or Power IQ data center infrastructure management platforms, particularly those in critical infrastructure sectors with OT/ICS environments. Security teams responsible for industrial control system hardening, database administrators managing dcTrack deployments, and infrastructure teams maintaining Power IQ installations should prioritize patching or implementing interim access controls.

Technical summary

Sunbird DCIM dcTrack and Power IQ platforms ship with default and hard-coded credentials. An attacker with local access and high privileges can use these credentials to administer the database, escalate privileges on the platform, or execute system commands on the underlying host. The vulnerability is rated CVSS 3.1 6.7 (MEDIUM) with local attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. Sunbird has released dcTrack 9.2.3 and Power IQ 9.2.1 to address this issue. Interim mitigations include IP-based access control restrictions and mandatory SSH password changes at deployment.

Defensive priority

HIGH

Recommended defensive actions

• Update dcTrack to version 9.2.3 or later
• Update Power IQ to version 9.2.1 or later
• If immediate patching is not possible, restrict SSH and non-essential port access using IP-based access controls
• Change passwords for all SSH-based user accounts at deployment time
• Review and harden all default credentials across Sunbird DCIM infrastructure
• Monitor for unauthorized administrative access attempts to database and host systems

Evidence notes

CISA CSAF advisory ICSA-25-338-05 confirms default and hard-coded credentials in dcTrack and Power IQ platforms. CVSS 3.1 vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H indicates local attack vector with high privileges required but high impact on CIA triad. Remediation guidance specifies version updates and interim access controls.

Official resources