OTPulse
FeedAboutContact

Easy UPS Online Monitoring Software

Monitor5.3SEVD-2023-346-03Dec 12, 2023
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary

A path traversal vulnerability (CWE-22) in Easy UPS Online Monitoring Software allows a local attacker with valid user credentials to delete arbitrary files with system-level privileges. Affected versions: prior to 2.6-GA-01-23116 on Windows 10, 11, Windows Server 2016, 2019, and 2022. The software is used to configure and manage Easy UPS products and has been discontinued by Schneider Electric.

What this means
What could happen
An attacker with local access to a system running Easy UPS Online Monitoring Software could gain elevated privileges and delete arbitrary files, potentially disrupting the monitoring and management of UPS systems that protect critical infrastructure.
Who's at risk
Organizations managing Schneider Electric Easy UPS products for power backup in data centers, server rooms, and utility control environments. This affects IT staff responsible for UPS configuration and monitoring on Windows administrative systems.
How it could be exploited
An attacker with local user credentials and physical or remote access to a system running Easy UPS Online Monitoring Software could exploit a path traversal vulnerability (CWE-22) to delete files with system-level privileges. The attack requires local access and low-level user privileges.
Prerequisites
  • Local access to the affected Windows system
  • Valid local user account credentials
  • Easy UPS Online Monitoring Software installed and running on Windows 10, 11, Windows Server 2016/2019/2022
Local access requiredLow EPSS score (0.1%)Path traversal vulnerabilityFile deletion as system privilege
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Easy UPS Online Monitoring (Windows 10, 11, Windows Server 2016, 2019, 2022) prior to 2.6-GA-01-23116<2.6-GA-01-231162.6-GA-01-23116
Remediation & Mitigation
0/2
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Easy UPS Online Monitoring Software to version 2.6-GA-01-23116 or later
Long-term hardening
0/1
HARDENINGTransition from Easy UPS Online Monitoring Software to PowerChute Serial Shutdown (for serial/USB) or PowerChute Network Shutdown (for network monitoring)
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/60c05bed-d539-4018-a56a-d960c26272cf
Easy UPS Online Monitoring Software | CVSS 5.3 - OTPulse