APC by Schneider Electric Network Management Cards (NMC) and NMC Embedded Devices
Act NowSEVD-2020-174-01Jun 22, 2020
Summary
Schneider Electric's APC Network Management Cards (NMC) contain vulnerabilities in the embedded Treck TCP/IP stack, collectively known as Ripple20. The primary concern is CVE-2020-11901, which can be exploited via specially crafted network packets to achieve remote code execution on affected devices. This vulnerability affects NMC2, NMC3, and NMC1 cards used in UPS systems, power distribution units (PDUs), automatic transfer switches, battery management systems, environmental monitoring units, and cooling devices. Older NMC1 models (AP9617, AP9618, AP9619) and many embedded NMC1 applications are discontinued and will not receive patches.
What this means
What could happen
An attacker could exploit vulnerabilities in the embedded TCP/IP stack to remotely run code on UPS systems, PDUs, and other power management devices, potentially shutting down backup power or altering power distribution settings during a critical event.
Who's at risk
Organizations managing power infrastructure including utilities, data centers, and facilities with APC UPS systems, Rack PDUs, Automatic Transfer Switches, and cooling systems that depend on Schneider Electric Network Management Cards (NMC1, NMC2, NMC3) for remote monitoring and control. This includes any Smart-UPS, Symmetra, Galaxy, InRow, or InfraStruXure branded devices with embedded network cards.
How it could be exploited
An attacker on the network sends a specially crafted packet to the Network Management Card embedded in the UPS, PDU, or power distribution device. The Treck TCP/IP stack vulnerability (particularly CVE-2020-11901) processes the malformed packet and allows arbitrary code execution on the management card, giving the attacker control over device functions.
Prerequisites
- Network access to the device's management interface (typically port 80/443 for web access or SNMP port 161)
- Device running vulnerable NMC1 or NMC2 firmware version
- No authentication required for the initial exploit packet
Remotely exploitableNo authentication requiredActively exploited (KEV)High exploit probability (58% EPSS)No patch available for older NMC1 modelsAffects power delivery and backup systems critical to facility operations
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (33)
18 with fix15 pending
ProductAffected VersionsFix Status
Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9630/AP9630CH/AP9630J NMC2 AOS V6.9.4 and earlier≤ NMC2 AOS 6.9.46.9.6
Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9631/AP9631CH/AP9631J NMC2 AOS V6.9.4 and earlier≤ NMC2 AOS 6.9.46.9.6
Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9635/AP9635CH NMC2 AOS V6.9.4 and earlier≤ NMC2 AOS 6.9.46.9.6
Uninterruptable Power Supply (UPS) using NMC1 - SUMX AP9617 (discontinued in Nov 2011) Smart-UPS NMC1 v3.9.2 and earlier≤ Smart-UPS NMC1 3.9.2No fix yet
Uninterruptable Power Supply (UPS) using NMC1 - SUMX AP9619 (discontinued in Sep 2012) Smart-UPS NMC1 v3.9.2 and earlier≤ Smart-UPS NMC1 3.9.2No fix yet
Remediation & Mitigation
0/6
Do now
0/5NMC1 Products Symmetra UPS Network Management Card 1 (NMC1) SmartSlot Models: - AP9617 (discontinued in Nov 2011) NMC1 AOS V3.9.2 and earlier
HOTFIXUpgrade NMC1 devices to AOS V3.9.4 or later (for models that support patching)
HARDENINGFor discontinued NMC1 models with no patch available (AP9617, AP9618, AP9619, and embedded NMC1 devices), implement network segmentation to restrict direct access to the management card from untrusted networks
All products
HOTFIXUpgrade NMC2 devices to AOS V6.9.6 or later
HOTFIXUpgrade NMC3 devices to AOS V1.4 or later
WORKAROUNDRestrict network access to management card ports (web interface and SNMP) using firewall rules, limiting access to authorized administrative networks only
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGDisable remote management interfaces if not actively needed for device monitoring or control
CVEs (17)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/521957ab-4210-41f1-ba81-9e9a1cb6bf5a