In a security notification, APC has warned home and corporate users about critical vulnerabilities in the software used to monitor and control their UPS systems online.
APC, which started as the American Power Conversion in 1981, today is a part of Schneider Electric™. APC is an industry leader in physical infrastructure and software solutions, and one of the most popular uninterruptible power supply (UPS) brands. The company offers a range of UPS solutions, from home users to industrial control applications.
The monitoring software affected by the vulnerabilities is:
- APC Easy UPS Online Monitoring Software (V2.5-GA-01-22320 and prior (Windows 10, 11 Windows Server 2016, 2019, 2022))
- Schneider Electric Easy UPS Online Monitoring Software (V2.5-GS-01-22320 and prior (Windows 10, 11 Windows Server 2016, 2019, 2022))
The Easy UPS Online Monitoring Software is used to configure and manage APC and Schneider Electric branded Easy UPS products.
Users of APC Easy UPS Online Monitoring Software (Windows 10) can download a versions that includes a fix here.
Users of Schneider Electric Easy UPS Online Monitoring Software (Windows 10) can get a version that includes a fix here.
Failure to apply the remediations may risk remote code execution, escalation of privileges, or authentication bypass, which could result in execution of malicious web code or loss of device functionality.
Any users that choose not to apply the remediation provided above, should immediately apply the following general security recommendations to reduce the risk of exploit:
For Windows (10, 11) and Windows server 2016, 2019, 2022: Customers with direct access to their Easy UPS units should upgrade to PowerChute Serial Shutdown (PCSS) software on all servers protected by the Easy UPS On-Line (SRV, SRVL models).
As a general advice, it's worth saying that online monitoring tools should be behind a firewall, and access should be restricted to those that really need it.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:
CVE-2023-29411 CVSS score 9.8 out of 10: A missing authentication for critical function vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface. Exploiting this vulnerability offers an unauthorized attacker the option to change the administrator login credentials.
CVE-2023-29412 CVSS score 9.8 out of 10: The improper handling of case sensitivity vulnerability exists that could cause remote code execution when manipulating internal methods through Java RMI interface. The software does not neutralize or incorrectly neutralizes special elements which could lead to remote code execution.
CVE-2023-29413 CVSS score 7.5 out of 10: A missing authentication for critical function vulnerability exists that could cause Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor service. Generally Denial-of-Service vulnerabilities are not considered serious, but given the importance in some use cases of uninterrupted power supply, the consequences of an outage can be serious.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.