Easy UPS Online Monitoring Software

Act Now9.8SEVD-2023-101-04Apr 11, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Easy UPS Online Monitoring Software contains multiple vulnerabilities (CWE-306 insufficient authentication, CWE-78 OS command injection) that allow unauthenticated remote attackers to execute arbitrary commands and escalate privileges. These vulnerabilities affect versions 2.5-GA-01-22320 and earlier, and 2.5-GS-01-22320 and earlier running on Windows 10, 11, Server 2016, 2019, and 2022. The software is used to configure and manage Easy UPS products and has been discontinued by the vendor, with migration to PowerChute software recommended.

What this means

What could happen

An attacker could gain remote access to the UPS monitoring software without authentication and execute arbitrary commands on the management workstation, potentially disrupting monitoring and control of critical UPS systems that protect data center or facility power.

Who's at risk

Energy sector facilities and data centers that use Schneider Electric Easy UPS Online Monitoring Software to manage Easy UPS units on Windows-based management workstations. This includes anyone running the monitoring software on Windows 10, Windows 11, Windows Server 2016, 2019, or 2022.

How it could be exploited

An attacker with network access to the Easy UPS Online Monitoring Software can send crafted requests to the web interface to bypass authentication checks and inject commands. These commands execute with the privileges of the software process, allowing full control of the monitoring system and the managed UPS devices.

Prerequisites

Network access to the TCP port running Easy UPS Online Monitoring Software (typically port 80 or 443)
Easy UPS Online Monitoring Software version 2.5-GA-01-22320 or 2.5-GS-01-22320 or earlier installed
UPS device connectivity to be meaningful (though the software itself is vulnerable independent of UPS connection status)

remotely exploitableno authentication requiredlow complexity attackaffects critical infrastructure managementallows remote code execution

Exploitability

Moderate exploit probability (EPSS 8.3%)

Affected products (10)

10 with fix

ProductAffected VersionsFix Status

Microsoft Windows 10≤ 2.5-GA-01-223202.6-GA-01-23116

Microsoft Windows 11≤ 2.5-GA-01-223202.6-GA-01-23116

Microsoft Windows Server 2016≤ 2.5-GA-01-223202.6-GA-01-23116

Microsoft Windows Server 2019≤ 2.5-GA-01-223202.6-GA-01-23116

Microsoft Windows Server 2022≤ 2.5-GA-01-223202.6-GA-01-23116

Microsoft Windows 10≤ 2.5-GS-01-223202.6-GA-01-23116

Microsoft Windows 11≤ 2.5-GS-01-223202.6-GA-01-23116

Microsoft Windows Server 2016≤ 2.5-GS-01-223202.6-GA-01-23116

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the Easy UPS Online Monitoring Software port using firewall rules—only permit connections from authorized management workstations or networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Easy UPS Online Monitoring Software to version 2.6-GA-01-23116 or 2.6-GS-01-23116

Long-term hardening

0/1

HARDENINGPlan migration from Easy UPS Online Monitoring Software to PowerChute Serial Shutdown (for serial/USB connections) or PowerChute Network Shutdown (for network connections)

CVEs (3)

CVE-2023-29411 CVE-2023-29412 CVE-2023-29413

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ae9e5827-5951-46c7-b486-e10299fe7622