Schneider Electric APC Easy UPS On-Line

Act Now9.8ICS-CERT ICSA-20-224-02Aug 11, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Vulnerabilities in Schneider Electric APC Easy UPS On-Line (model SFAPV9601, versions 2.0 and earlier) allow unauthenticated remote code execution via a path traversal flaw (CWE-22). An attacker with network access to the device can execute arbitrary commands without providing credentials. No public exploits exist, but active exploitation is monitored.

What this means

What could happen

An attacker could execute arbitrary code on the UPS device, potentially disrupting power delivery to critical systems or causing unplanned shutdowns of equipment dependent on uninterruptible power supply.

Who's at risk

Energy sector operators managing data centers, utility substations, and critical infrastructure that rely on APC Easy UPS On-Line devices (model SFAPV9601) for backup power protection should prioritize this update. Any facility dependent on continuous power delivery is at risk.

How it could be exploited

An attacker with network access to the APC Easy UPS On-Line device (port 502 or web interface) can send a crafted request that exploits a path traversal flaw to upload and execute malicious code on the device without authentication.

Prerequisites

Network access to the APC Easy UPS On-Line device (reachable from the network)
No authentication required

remotely exploitableno authentication requiredlow complexitycritical severity (CVSS 9.8)affects power delivery systems

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (1)

ProductAffected VersionsFix Status

SFAPV9601: v2.0 and earlier≤ 2.02.1

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGRestrict network access to the APC Easy UPS On-Line device: place it behind a firewall and isolate it from the business network and the Internet

HARDENINGIf remote access to the UPS is required, use a VPN with current security patches to limit exposure

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SFAPV9601 UPS firmware to version 2.1 or later

CVEs (2)

CVE-2020-7521 CVE-2020-7522

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/917caf0c-b88c-4465-a57c-b1b4cdc7dd62