OTPulse
FeedAboutContact

PowerChute Business Edition

Plan Patch7.1SEVD-2020-224-05Aug 11, 2020
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary

PowerChute Business Edition versions 9.0.x and earlier contain an input validation flaw (CWE-20) that may lead to remote code execution. The vulnerability requires valid user credentials and user interaction but could allow an attacker to execute arbitrary commands on the PowerChute server, affecting UPS monitoring and power management operations. The flaw is fixed in version 9.1 and above.

What this means
What could happen
An attacker with valid user credentials could execute arbitrary code on the PowerChute Business Edition server, potentially disrupting power management and UPS monitoring for critical infrastructure like data centers and electrical systems.
Who's at risk
Organizations operating UPS and power management infrastructure that rely on PowerChute Business Edition for monitoring and control, including data centers, hospitals, water authorities, and electric utilities dependent on battery backup and failover management.
How it could be exploited
An attacker with valid login credentials accesses the PowerChute Business Edition web interface or management console over the network and exploits the input validation flaw to inject and execute arbitrary commands on the server running the software.
Prerequisites
  • Valid PowerChute Business Edition user account credentials
  • Network access to the PowerChute Business Edition management interface (default port varies)
  • User interaction required (administrator action to trigger the vulnerability)
  • Knowledge of the vulnerable input parameter
Remotely exploitableValid credentials requiredMedium complexity attackHigh impact (code execution on infrastructure management system)
Exploitability
Moderate exploit probability (EPSS 1.6%)
Affected products (1)
ProductAffected VersionsFix Status
PowerChute Business Edition software V9.0.x and earlier.≤ 9.0.x>=9.1
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PowerChute Business Edition to version 10.x or later for 64-bit environments, or version 9.5 or later for 32-bit environments
HOTFIXSchedule maintenance window for software update and reboot as needed
Long-term hardening
0/2
HARDENINGImplement network access controls to restrict management console access to authorized personnel and jump hosts only
HARDENINGRequire strong, unique passwords for all PowerChute Business Edition user accounts
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/009bffa5-fb24-4077-a48f-eb6953a50e9b