Sunbird DCIM dcTrack and Power IQ

MonitorCVSS 6.7ICS-CERT ICSA-25-338-05Dec 4, 2025

Energy

Attack path

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Sunbird DCIM dcTrack and Power IQ contain improper authentication vulnerabilities (CWE-288) and hardcoded credentials (CWE-798). Successful exploitation could allow an attacker to gain unauthorized access or steal credentials. dcTrack versions ≤9.2.0 and Power IQ versions ≤9.2.0 are affected.

What this means

What could happen

An attacker with local access or knowledge of hardcoded credentials could gain unauthorized access to dcTrack or Power IQ, potentially allowing them to view sensitive facility data, modify configurations, or cause denial of service in your data center power monitoring systems.

Who's at risk

Energy sector organizations using Sunbird DCIM dcTrack or Power IQ for data center infrastructure and power monitoring should prioritize this. If your facility uses these products to monitor power distribution, UPS systems, cooling, or infrastructure health, you are affected. Small to mid-size utilities with data centers or server rooms managing their own facilities are typical users.

How it could be exploited

An attacker could exploit improper authentication or hardcoded credentials to log into dcTrack or Power IQ without valid user credentials. If SSH access is reachable from the network, they could authenticate using default or embedded passwords, gaining administrative control over power and infrastructure monitoring.

Prerequisites

Local access to the device or network access to SSH port
Knowledge of or ability to discover hardcoded credentials
dcTrack version ≤9.2.0 or Power IQ version ≤9.2.0

improper authentication implementationhardcoded credentialslocal or network-accessible attack surfaceaffects IT infrastructure management (power, cooling monitoring)

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

DCIM dcTrack: <=v9.2.0≤ v9.2.09.2.3

Power IQ: <=v9.2.0≤ v9.2.09.2.1

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict SSH and non-essential port access using IP-based access control lists

WORKAROUNDChange all SSH-based user account passwords immediately

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate dcTrack to version 9.2.3 or later

HOTFIXUpdate Power IQ to version 9.2.1 or later

Long-term hardening

0/2

HARDENINGIsolate DCIM systems behind firewalls and restrict access from business networks

HARDENINGEnsure DCIM systems are not directly accessible from the internet

CVEs (2)

CVE-2025-66238 CVE-2025-66237

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aa762ab5-7da0-4232-94f8-47b92da22f5f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.