Schneider Electric Rack PDU (Update A)

MonitorCVSS 6.5ICS-CERT ICSA-21-348-02Dec 14, 2021

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

A privilege escalation vulnerability exists in Schneider Electric Rack PDUs that could allow an authenticated attacker with low privileges to gain elevated access. The vulnerability affects AP7xxxx and AP8xxx models with NMC2 (firmware v6.9.6 and prior), AP7xxx and AP8xxx with NMC3 (firmware v1.1.0.3 and prior), and APDU9xxx with NMC3 (firmware v1.0.0.28 and prior). Successful exploitation requires valid user credentials, network access to the management interface, and user interaction through the outlet links feature. The vulnerability has been addressed through firmware updates.

What this means

What could happen

An authenticated attacker with low privileges could exploit this vulnerability to gain elevated privileges on the Rack PDU, potentially allowing them to reconfigure power distribution settings, disable outlets, or modify network connectivity for critical infrastructure equipment.

Who's at risk

Electrical utility operators and data center managers using Schneider Electric Rack PDUs should care about this vulnerability. It affects AP7xxxx and AP8xxx models with NMC2 or NMC3 network management cards, as well as APDU9xxx models with NMC3. These devices provide remote power management and monitoring for critical electrical infrastructure, including servers, switches, and control system equipment.

How it could be exploited

An attacker with valid user credentials and network access to the management interface (typically port 80/443) could trigger a privilege escalation through the outlet links feature. The attacker would need to interact with the web interface to manipulate outlet configurations, leveraging a logic flaw to bypass authorization checks and execute commands with elevated permissions.

Prerequisites

Valid user account credentials (non-administrative)
Network access to the Rack PDU management port (80/443)
Ability to interact with the web interface
Outlet links feature must be enabled

Remotely exploitableRequires valid user credentialsHigh attack complexityNo public exploits knownDefault credentials may be present

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

AP7xxxx-NMC2 V6.9.6 or earlier≤ 6.9.67.0.6

AP8xxx-NMC2 V6.9.6 or earlier≤ 6.9.67.0.6

AP7xxx-NMC3 V1.1.0.3 or earlier≤ 1.1.0.31.2.0.2

AP8xxx-NMC3 V1.1.0.3 or earlier≤ 1.1.0.31.2.0.2

APDU9xxx-NMC3 V1.0.0.28 or earlier≤ 1.0.0.281.2.0.2

AP7xxxx and AP8xxx with NMC2: v6.9.6 and prior≤ 6.9.6v7.0.6

AP7xxx and AP8xxx with NMC3: v1.1.0.3 and prior≤ 1.1.0.3v1.2.0.2

APDU9xxx with NMC3: v1.0.0.28 and prior≤ 1.0.0.28v1.2.0.2

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDDisable outlet links feature until firmware update can be applied

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AP7xxxx and AP8xxx with NMC2 to firmware v7.0.6 or later

HOTFIXUpdate AP7xxx, AP8xxx, and APDU9xxx with NMC3 to firmware v1.2.0.2 or later

Long-term hardening

0/3

HARDENINGImplement network segmentation to isolate Rack PDU management interfaces from untrusted networks

HARDENINGRestrict management interface access via firewall rules to only authorized administrative workstations

HARDENINGEnforce strong access controls and regularly audit user account privileges on the Rack PDU

CVEs (1)

CVE-2021-22825

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3e899684-bc83-4b12-bcbb-77fb1ee14fa0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.