APC Smart-UPS SMT, SMC, SMX, SCL, SRC, XU, XP, CSH2, SURTD, SMTL, SRT, and select SRTL Series

Plan PatchCVSS 9SEVD-2022-067-02Mar 8, 2022

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Schneider Electric APC Smart-UPS devices contain multiple vulnerabilities (CVE-2022-0715, CVE-2022-22805, CVE-2022-22806) that could allow unauthorized access and control of the UPS unit if compromised. The vulnerabilities are associated with authentication and buffer overflow issues (CWE-120, CWE-294, CWE-287). Affected devices span SMT, SMC, SMTL, SMX, SCL, SRT, SRC, XU, XP, and CSH2 series. Firmware patches are available for some SmartConnect and Smart-UPS variants, but many older and end-of-life models have no fix available.

What this means

What could happen

An attacker who gains access to a Smart-UPS device could alter power distribution settings, disable battery protection, or trigger unsafe shutdown of critical infrastructure served by the UPS. This could result in uncontrolled power loss to facilities, equipment damage, or loss of life safety systems in hospitals and water treatment plants.

Who's at risk

Energy sector operators, including municipal utilities, water authorities, and industrial facilities that rely on APC Smart-UPS devices for power management. Particularly critical for organizations running backup power systems for water treatment plants, wastewater facilities, electrical substations, data centers, and emergency response facilities. Affects wide range of UPS models from 3kVA to 20kVA single-phase and 208V/240V/380V/400V/415V three-phase units.

How it could be exploited

An attacker with network access to the UPS management port (typically port 502 or web interface port) can exploit authentication or buffer overflow vulnerabilities to send commands directly to the UPS. If the device is exposed to the internet or accessible from an untrusted network segment, the attacker can remotely compromise it without valid credentials.

Prerequisites

Network access to UPS management interface (port 502, web interface, or NMC connection)
Device running vulnerable firmware version (UPS 14.9 or earlier for most models, UPS 04.5 or earlier for SMT ID=1015)
No authentication required based on CVSS vector PR:N

remotely exploitableno authentication requiredhigh CVSS score (9.0)affects power delivery and safety systemsno fix available for many modelsnetwork accessible device

Exploitability

Some exploitation risk — EPSS score 8.2%

Affected products (44)

10 with fix34 pending

ProductAffected VersionsFix Status

SmartConnect Family SMT Series ID=1015 <=UPS 04.5≤ UPS 04.5UPS 04.6

SmartConnect Family SMC Series ID=1018 <=UPS 04.2≤ UPS 04.2UPS 04.3

SmartConnect Family SMTL Series ID=1026 <=UPS 14.9≤ UPS 14.9UPS 15.0

SmartConnect Family SMT Series ID=1031 <=UPS 14.9≤ UPS 14.9UPS 04.6

SmartConnect Family SCL Series ID=1030 <=UPS 14.9≤ UPS 14.9UPS 15.0

Remediation & Mitigation

0/11

Do now

0/2

HARDENINGPlace UPS devices behind firewall and restrict access to management ports; prevent external network access to UPS management interfaces

HARDENINGIsolate UPS management traffic to a dedicated, protected network segment separate from general IT and guest networks

Schedule — requires maintenance window

0/8

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SmartConnect SMT Series (ID=1015) firmware to UPS 04.6 or later

HOTFIXUpdate SmartConnect SMC Series (ID=1018) firmware to UPS 04.3 or later

HOTFIXUpdate SmartConnect SMTL Series (ID=1026) firmware to UPS 15.0 or later

HOTFIXUpdate SmartConnect SMT Series (ID=1031) firmware to UPS 04.6 or later

HOTFIXUpdate SmartConnect SCL Series (ID=1030) firmware to UPS 15.0 or later

HOTFIXUpdate SmartConnect SMX Series (ID=1031) firmware to UPS 04.6 or later

WORKAROUNDDisable NMC (Network Management Card) firmware update capability after applying patches; re-enable only when Schneider releases future firmware that restores this feature

HARDENINGVerify firmware updates using hash verification before installation; only download from official Schneider Electric sources

Long-term hardening

0/1

HARDENINGFor Smart-UPS models with no vendor fix available (SMT ID=18, SMX ID=23/1023/1003, SRT series, SRC series, XU/XP series, CSH2), implement strict network access controls and physical security to prevent unauthorized device access

CVEs (3)

CVE-2022-22805 CVE-2022-22806 CVE-2022-0715

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7afa5f8f-da1d-4ba0-b725-8a66e29fdea6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.