Socomec MOD3GP-SY-120K

Act Now10ICS-CERT ICSA-23-250-03Sep 7, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

MODULYS GP (MOD3GP-SY-120K) contains multiple web interface vulnerabilities: cross-site scripting (XSS, CWE-79), cross-site request forgery (CWE-352), unsafe file operations (CWE-565), and arbitrary code execution (CWE-94). These allow an attacker with network access to inject malicious JavaScript, steal session cookies, execute arbitrary code, or obtain sensitive information. The product is end-of-life and will not receive patches.

What this means

What could happen

An attacker could inject malicious JavaScript code into the web interface, steal session cookies or user credentials, or obtain sensitive system information. This could lead to unauthorized control of the UPS system or manipulation of power delivery settings affecting critical infrastructure.

Who's at risk

Water utilities and municipalities using Socomec MODULYS GP (MOD3GP-SY-120K) uninterruptible power supply (UPS) systems, particularly those with the web firmware management interface exposed to networks. This affects any organization relying on this UPS model for critical power continuity.

How it could be exploited

An attacker with network access to the device's web interface could submit crafted input containing JavaScript code (stored or reflected XSS) that executes in an administrator's browser session. By stealing session cookies, the attacker gains authenticated access to modify UPS settings, bypass security controls, or read sensitive configuration data without providing valid credentials.

Prerequisites

Network access to the MOD3GP-SY-120K web interface (typically port 80 or 443)
No authentication required to exploit the XSS vulnerability itself; however, stealing session cookies allows access to authenticated functions
Victim must visit a malicious link or open an attacker-controlled webpage (for reflected XSS)

Remotely exploitable via networkNo authentication required for XSS exploitationWeb-based interface with CSRF and arbitrary code execution vulnerabilitiesEnd-of-life product with no patch availableCould affect power delivery to safety-critical systemsCVSS score 10 (critical severity)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

MODULYS GP (MOD3GP-SY-120K): Web_firmware_v01.12.10Web firmware v01.12.10No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to the device's web interface using firewall rules; only allow connections from authorized engineering workstations or management networks

HARDENINGDisable direct internet exposure; ensure the device is not accessible from the internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMigrate from end-of-life MODULYS GP (MOD3GP-SY-120K) to MODULYS GP2 (M4-S-XXX), which is not affected by these vulnerabilities

Mitigations - no patch available

0/2

MODULYS GP (MOD3GP-SY-120K): Web_firmware_v01.12.10 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPlace the UPS device behind a firewall and isolate it from the business network; use network segmentation to separate the power management system from general IT infrastructure

HARDENINGIf remote access is required, use a VPN to the management network rather than exposing the device directly

CVEs (7)

CVE-2023-38582 CVE-2023-39446 CVE-2023-41965 CVE-2023-41084 CVE-2023-40221 CVE-2023-39452 CVE-2023-38255

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f06d1dfe-31f5-45fa-a4c7-c8552d340665