Schneider Electric APC Easy UPS Online

Act Now9.8ICS-CERT ICSA-22-347-02Dec 13, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

APC Easy UPS Online contains multiple vulnerabilities affecting versions 2.5-GA and earlier on Windows 7, 10, 11, Windows Server 2016, 2019, and 2022. These include unauthenticated remote code execution (CWE-306), arbitrary file upload (CWE-434), improper access control (CWE-732), and hardcoded credentials (CWE-798). Successful exploitation allows an attacker to execute code, change passwords, and escalate privileges without authentication.

What this means

What could happen

An attacker could remotely execute commands on your UPS management system without credentials, allowing them to reconfigure power protection settings, shut down critical equipment, or disable alerts that warn of power faults. They could also alter or reset administrator passwords, locking out legitimate operators.

Who's at risk

Energy utilities and any facility operating APC Easy UPS Online systems (versions 2.5-GA or earlier on Windows platforms) should prioritize this. This includes data centers, hospitals, water treatment plants, and other critical infrastructure that rely on uninterruptible power supplies for equipment protection. Any organization with an engineering workstation or management server running these UPS management versions is at risk.

How it could be exploited

An attacker on the network (or internet if the Easy UPS device is exposed) sends a crafted request to the web service. Because no authentication is required due to missing access checks (CWE-306) and weak credential handling (CWE-798), the request succeeds. The attacker uploads a malicious file (CWE-434) or directly executes commands through improper privilege handling (CWE-732), gaining full control of the UPS system.

Prerequisites

Network reachability to the APC Easy UPS Online device on its management port (typically HTTP/HTTPS)
No authentication credentials required for exploitation
Device must be running affected version (2.5-GA or earlier)

Remotely exploitableNo authentication requiredLow complexity attackNo patch available (end-of-life product)Affects power infrastructure

Exploitability

Moderate exploit probability (EPSS 3.4%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

APC Easy UPS Online: APC Easy UPS Online≤ 2.5-GA (Windows 7, 10, 11, Windows Server 2016, 2019, 2022)No fix (EOL)

APC Easy UPS Online: APC Easy UPS Online≤ 2.5-GA-01-22261 (Windows 11, Windows Server 2019, 2022)No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGDo not expose APC Easy UPS Online devices directly to the Internet. Place them on a dedicated management network isolated from your business network.

WORKAROUNDUse a firewall to block inbound access to the APC Easy UPS Online management interface from untrusted networks. Restrict access to authorized engineering and IT staff only.

HARDENINGIf remote access is required, use a VPN to establish a secure tunnel and ensure the VPN software is kept up to date.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for suspicious authentication attempts and unexpected configuration changes to the UPS system.

HOTFIXContact Schneider Electric for guidance on patching or replacement options, as no fix is currently available for the affected versions.

CVEs (4)

CVE-2022-42970 CVE-2022-42971 CVE-2022-42972 CVE-2022-42973

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5a378790-c56a-4ed9-ada1-fd381f387a2c