APC by Schneider Electric Rack PDU

Monitor6.5SEVD-2021-348-04Dec 14, 2021

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

A cross-site scripting (XSS) vulnerability exists in APC Rack PDU management cards (NMC2 and NMC3) used in AP7xxxx, AP8xxx, and APDU9xxx series devices. The vulnerability allows an attacker to inject malicious web code that executes in an authenticated user's browser session, potentially resulting in unintended power outlet control, load management changes, or denial of monitoring. The affected versions are AP7xxxx-NMC2 and AP8xxx-NMC2 V6.9.6 or earlier, AP7xxx-NMC3 and AP8xxx-NMC3 V1.1.0.3 or earlier, and APDU9xxx-NMC3 V1.0.0.28 or earlier.

What this means

What could happen

An attacker could inject malicious code into the PDU's web interface that executes in a user's browser, potentially allowing them to manipulate power outlet states or disable monitoring of critical equipment such as servers, cooling systems, or other infrastructure dependent on the PDU for remote outlet control and sequencing.

Who's at risk

Energy sector organizations operating Schneider Electric APC Rack PDU units (AP7xxxx, AP8xxx, and APDU9xxx series) used for data center and facility power distribution, monitoring, and outlet-level control in data centers, utility facilities, and other critical infrastructure sites.

How it could be exploited

An attacker with network access to the PDU's web interface could craft a malicious link or embed a script in a web page that, when clicked by an authenticated user, injects malicious code into the PDU's web application. This code executes in the user's browser with the user's permissions, allowing the attacker to perform actions like toggling outlet power or modifying load management settings without additional authorization.

Prerequisites

Network access to the PDU web interface (typically port 80/443)
A valid authenticated user must click a malicious link or visit a compromised page while logged into the PDU
The user must be using a web browser to interact with the PDU management interface

remotely exploitablerequires authenticated user interactioncross-site scripting vulnerabilityaffects power management and facility controlno patch available for affected firmware versions at time of advisory

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

AP7xxxx-NMC2 V6.9.6 or earlier≤ 6.9.67.0.6

AP8xxx-NMC2 V6.9.6 or earlier≤ 6.9.67.0.6

AP7xxx-NMC3 V1.1.0.3 or earlier≤ 1.1.0.31.2.0.2

AP8xxx-NMC3 V1.1.0.3 or earlier≤ 1.1.0.31.2.0.2

APDU9xxx-NMC3 V1.0.0.28 or earlier≤ 1.0.0.281.2.0.2

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to the PDU web management interface using a firewall rule to allow only trusted engineering workstations and administrative systems

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AP7xxxx-NMC2 and AP8xxx-NMC2 devices to firmware version 7.0.6 or later

HOTFIXUpdate AP7xxx-NMC3, AP8xxx-NMC3, and APDU9xxx-NMC3 devices to firmware version 1.2.0.2 or later

HOTFIXReboot the PDU after each firmware update and verify the new firmware version is correctly installed

Long-term hardening

0/1

HARDENINGDisable or restrict remote web access to the PDU if it is not required for operations; use only local serial or in-band management

CVEs (1)

CVE-2021-22825

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f61f6ad9-0cd8-4dbf-a8ff-dc7817bb8840