Schneider Electric APC Easy UPS Online Monitoring Software (Update A)

Plan PatchCVSS 9.8ICS-CERT ICSA-23-108-02Apr 11, 2023

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in APC Easy UPS Online Monitoring Software and Schneider Electric Easy UPS Online Monitoring Software allows remote code execution through the Java RMI interface without authentication. Successful exploitation could result in arbitrary code execution on the monitoring server, authentication bypass, privilege escalation, malicious web code execution, or loss of device functionality. The affected software is being discontinued along with the Easy UPS Online SNMP Cards (APV9601, APVS9601). Schneider Electric recommends migration to the PowerChute series (PowerChute Serial Shutdown or PowerChute Network Shutdown) as the long-term solution.

What this means

What could happen

An attacker could execute arbitrary code on the monitoring server and bypass authentication, giving them control over UPS configuration and potentially interrupting power management for critical equipment. This could result in loss of device functionality, manipulation of power setpoints, or shutdown of monitored systems.

Who's at risk

Energy utilities and facilities relying on APC Easy UPS Online or Schneider Electric Easy UPS Online Monitoring Software versions 2.5-GA-01-22261 or earlier. This affects anyone using these versions to monitor uninterruptible power supplies (UPS) that back up critical systems like SCADA servers, control systems, or facility infrastructure.

How it could be exploited

An attacker with network access to the Java RMI interface (typically port 1099) can manipulate internal RMI methods to achieve remote code execution on the monitoring server without authentication. The Java RMI protocol does not verify caller identity before allowing method invocation.

Prerequisites

Network access to the monitoring software's Java RMI port (default 1099)
The affected version of APC/Schneider Easy UPS Online Monitoring Software running and listening on the network
No authentication required to invoke RMI methods

Remotely exploitableNo authentication requiredLow complexity exploitCritical CVSS score (9.8)High EPSS score (8.3%)Public proof-of-concept availableAffects UPS/power management systems

Exploitability

Some exploitation risk — EPSS score 7.7%

Affected products (12)

12 with fix

ProductAffected VersionsFix Status

Microsoft Windows 10≤ 2.5-GA-01-223202.6-GA-01-23116

Microsoft Windows 11≤ 2.5-GA-01-223202.6-GA-01-23116

Microsoft Windows Server 2016≤ 2.5-GA-01-223202.6-GA-01-23116

Microsoft Windows Server 2019≤ 2.5-GA-01-223202.6-GA-01-23116

Microsoft Windows Server 2022≤ 2.5-GA-01-223202.6-GA-01-23116

Microsoft Windows 10≤ 2.5-GS-01-223202.6-GA-01-23116

Microsoft Windows 11≤ 2.5-GS-01-223202.6-GA-01-23116

Microsoft Windows Server 2016≤ 2.5-GS-01-223202.6-GA-01-23116

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to the monitoring software's RMI port (port 1099) with a firewall rule to allow only engineering and administrative workstations

HARDENINGIsolate the UPS monitoring network from the business network using a firewall and ensure the monitoring software is not accessible from the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade APC Easy UPS Online Monitoring Software to version 2.6-GA or later, or Schneider Electric Easy UPS Online Monitoring Software to version 2.6-GS or later

Long-term hardening

0/3

HOTFIXMigrate to PowerChute Serial Shutdown or PowerChute Network Shutdown, as the Easy UPS Online software and associated SNMP Cards (APV9601, APVS9601) are being discontinued

HARDENINGImplement network segmentation to place UPS monitoring devices behind a firewall and isolate them from untrusted networks

HARDENINGUse a VPN for any remote access to the UPS monitoring software

CVEs (3)

CVE-2023-29411 CVE-2023-29412 CVE-2023-29413

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e15f6d71-9fc3-4c93-9137-35480ee2221b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.