OTPulse
FeedAboutContact

Schneider Electric NMC cards and Embedded Devices

Monitor6.8ICS-CERT ICSA-21-313-01Nov 9, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary

Multiple Schneider Electric Network Management Card (NMC2 and NMC3) products contain cross-site scripting (XSS) and information disclosure vulnerabilities in their web-based management interfaces. These vulnerabilities affect power distribution units, uninterruptible power supplies (UPS), cooling products, and automatic transfer switches. An attacker could inject malicious code that executes in an operator's browser session when they click a malicious link, or could access sensitive configuration and operational data if debug files are left accessible. The vulnerabilities stem from improper input validation in the web interface (CWE-79) and insufficient access controls on sensitive data (CWE-200).

What this means
What could happen
An attacker could inject malicious web code into management interfaces of power distribution and UPS devices, potentially disabling remote monitoring or tricking operators into taking unsafe actions. Data stored on these devices could also be exposed, including system configuration.
Who's at risk
This advisory affects operators of power infrastructure equipment—specifically anyone managing APC PDUs, UPS systems (Symmetra, Galaxy, Smart-UPS), cooling systems, and automatic transfer switches using Schneider Electric's Network Management Card 2 (NMC2) or Network Management Card 3 (NMC3) embedded controllers. Water and electric utilities, data centers, and facilities with backup power systems are most likely to be impacted.
How it could be exploited
An attacker tricks an operator into clicking a malicious link via email or chat, which exploits a cross-site scripting flaw in the NMC web interface when clicked from an authenticated session. Alternatively, if debug.tar files are left accessible, an attacker could extract stored data from the system. The attack requires the operator to click a link and have an active browser session on the NMC device.
Prerequisites
  • Operator must click a malicious link from an untrusted source
  • Operator must have an active authenticated session on the NMC web interface
  • Workstation must have network access to the NMC management interface
remotely exploitablelow complexity attackaffects critical power management interfacesno patch available for many productswide range of products affected with extended support still being determined
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (16)
16 pending
ProductAffected VersionsFix Status
APC 3-Phase Power Distribution Products using NMC2: NMC2 AOS v6.9.6 and priorNMC2 ≤ 6.9.6No fix yet
Network Management Card 2 (NMC2) for InfraStruxure 150 kVA PDU with 84 Poles (X84P): NMC2 AOS v6.9.6 and priorNMC2 ≤ 6.9.6No fix yet
Network Management Card 2 for Modular 150/175kVA PDU (XRDP): NMC2 AOS v6.9.6 and priorNMC2 ≤ 6.9.6No fix yet
3-Phase Uninterruptible Power Supply (UPS) using NMC2 including Symmetra PX 48/96/100/160 kW UPS (PX2) Symmetra PX 20/40 kW UPS (SY3P) Gutor (SXW GVX) and Galaxy (GVMTS GVMSA GVXTS GVXSA G7K GFC G9KCHU): NMC2 AOS v6.9.6 and priorNMC2 ≤ 6.9.6No fix yet
1-Phase Uninterruptible Power Supply (UPS) using NMC3 including Smart-UPS Symmetra and Galaxy 3500 with Network Management Card 3 (NMC3): NMC3 AOS v1.4.2.1 and priorNMC3 ≤ 1.4.2.1No fix yet
Remediation & Mitigation
0/11
Do now
0/2
WORKAROUNDDo not click links in emails or messages from unverified sources that point to NMC management interfaces
WORKAROUNDEnsure any debug.tar files generated via Web or CLI interface are deleted immediately after retrieval
Schedule — requires maintenance window
0/6

Patching may require device reboot — plan for process interruption

Network Management Card 2 (NMC2) for InfraStruxure 150 kVA PDU with 84 Poles (X84P): NMC2 AOS v6.9.6 and prior
HOTFIXUpdate NMC2 1-Phase UPS (SUMX/SY applications) to firmware v7.04 or later
HOTFIXUpdate NMC2 3-Phase UPS Symmetra PX 250/500 (SYPX application) to firmware v7.0.4 or later; contact Schneider Electric support for upgrade assistance
HOTFIXUpdate APC Rack PDU NMC2 (RPDU2G application) to firmware v7.0.6 or later
HOTFIXUpdate APC 3-Phase PDU NMC2 (RPP application) to firmware v7.0.4 or later
HOTFIXUpdate NMC2 Cooling Products to firmware v7.0.4 or later; contact Schneider Electric support for specific upgrades
3-Phase Uninterruptible Power Supply (UPS) using NMC2 including Symmetra PX 48/96/100/160 kW UPS (PX2) Symmetra PX 20/40 kW UPS (SY3P) Gutor (SXW GVX) and Galaxy (GVMTS GVMSA GVXTS GVXSA G7K GFC G9KCHU): NMC2 AOS v6.9.6 and prior
HOTFIXUpdate NMC3 1-Phase UPS (SU/SY applications) to firmware v1.5 or later
Long-term hardening
0/3
HARDENINGEnsure workstations used to access NMC interfaces are hardened and kept up to date with security patches
HARDENINGPlace all NMC management interfaces on isolated networks behind firewalls, not directly accessible from business networks or Internet
HARDENINGRestrict access to NMC management interfaces to authorized personnel only via physical and logical controls
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/598660bf-69a1-4e7b-be78-8cb8d36547e8