APC Easy UPS Online Monitoring Software

Act Now9.8SEVD-2022-347-01Dec 13, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric APC Easy UPS Online Monitoring Software and Easy UPS Online Monitoring Software contain multiple vulnerabilities in file upload validation, file permissions, and credential handling. The vulnerabilities could allow remote code execution, privilege escalation, and authentication bypass. Affected versions: APC Easy UPS Online Monitoring Software ≤2.5-GA and ≤2.5-GA-01-22261; Easy UPS Online Monitoring Software ≤2.5-GA and ≤2.5-GA-01-22261 on Windows 7, 10, 11, Windows Server 2016, 2019, and 2022.

What this means

What could happen

An attacker could execute arbitrary code on the monitoring workstation, escalate privileges to system level, or bypass authentication controls, potentially gaining full control of UPS management functions and the ability to interfere with power distribution monitoring and failover operations.

Who's at risk

Power utilities and facilities using APC Easy UPS systems to monitor and manage uninterruptible power supplies (UPS) on Windows workstations. This includes energy sector operations centers, water utilities, hospitals, and data centers that rely on monitoring software running on Windows 7, 10, 11, or Windows Server 2016/2019/2022 to track UPS status and configure failover protection.

How it could be exploited

An unauthenticated attacker can send a specially crafted request over the network to the monitoring software's web interface. The software fails to properly validate or restrict file uploads and improperly sets file permissions, allowing the attacker to upload and execute malicious code, then escalate privileges using hardcoded or weak credentials stored in configuration files.

Prerequisites

Network access to the Windows workstation running APC Easy UPS Online Monitoring Software (typically port 80/443 for web interface)
No authentication required for initial exploitation
Monitoring software must be installed and running

Remotely exploitable without authenticationLow attack complexityCVSS severity 9.8 (critical)Affects monitoring and control of critical power infrastructureDefault/hardcoded credentials in product

Exploitability

Moderate exploit probability (EPSS 3.4%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Easy UPS Online Monitoring Software (Windows 7, 10, 11 Windows Server 2016, 2019, 2022) <=2.5-GA≤ 2.5-GA2.5-GS-01-22320

Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022) <=2.5-GA-01-22261≤ 2.5-GA-01-222612.5-GS-01-22320

APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 Windows Server 2016, 2019, 2022) <=2.5-GA≤ 2.5-GA2.5-GA-01-22320

APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022) <=2.5-GA-01-22261≤ 2.5-GA-01-222612.5-GA-01-22320

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to the monitoring software's web interface to authorized engineering workstations only using host firewall rules or network segmentation

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate APC Easy UPS Online Monitoring Software to version 2.5-GA-01-22320 or later

HOTFIXUpdate Schneider Electric Easy UPS Online Monitoring Software to version 2.5-GS-01-22320 or later

Long-term hardening

0/2

HARDENINGDisable direct internet access to monitoring workstations; place them on a protected management network segment isolated from facility networks

HARDENINGApply the principle of least privilege—run the monitoring software service under a restricted user account rather than administrator/system account

CVEs (4)

CVE-2022-42970 CVE-2022-42971 CVE-2022-42972 CVE-2022-42973

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a1eab677-af00-4b59-b46a-96e2b0ac784a