APC’s Easy UPS online monitoring software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take control of devices and, in the worst case scenario, completely disable its functionality.

Uninterruptible Power Supplies (UPS) are essential for protecting data centers, server farms, and smaller network infrastructures by ensuring seamless operation amid power fluctuations or outages.

APC (from Schneider Electric) is one of the most popular UPS brands. Its products are widely deployed in consumer and enterprise markets, including government, healthcare, industrial, IT and retail infrastructure.

Earlier this month, the seller posted a security notice to alert on the following three defects impacting its products:

• CVE-2023-29411: Missing authentication for a critical function allowing an attacker to modify administrator credentials and execute arbitrary code on the Java RMI interface. (CVSS v3.1 score: 9.8, “critical”)
• CVE-2023-29412: Bad handling of case sensitivity allowing an attacker to execute arbitrary code when manipulating internal methods via the Java RMI interface. (CVSS v3.1 score: 9.8, “critical”)
• CVE-2023-29413: Missing authentication for a critical function that could lead an unauthenticated attacker to impose a denial of service (DoS) condition. (CVSS v3.1 score: 7.5, “high”)

Although Denial of Service (DoS) faults are generally not considered very dangerous, as many UPS systems are located in data centers, the consequences of such a failure are magnified as this may block the remote management of devices.

The above faults affect:

• APC Easy UPS Online Monitoring Software v2.5-GA-01-22320 and earlier
• Schneider Electric Easy UPS online monitoring software v2.5-GA-01-22320 and earlier

The impact affects all versions of Windows, including 10 and 11, as well as Windows Server 2016, 2019 and 2022.

The recommended action for users of the affected software is to upgrade to V2.5-GS-01-23036 or later, available for download here (APC, SE).

Currently, the only mitigation for customers with direct access to their Easy UPS units is to upgrade to PowerChute series shutdown (CSSP) on all servers protected by your Easy UPS OnLine (SRV, SRVL models), which provides serial shutdown and monitoring.

General security recommendations provided by the vendor include placing critical Internet-connected devices behind firewalls, using VPNs for remote access, implementing strict physical access controls, and to avoid leaving the devices in “Program” mode.

Recent research focused on APC products has revealed dangerous defects collectively referred to as “TLStorm‘, which could give hackers control of vulnerable and exposed UPS devices.

Shortly after TLStorm was released, CISA warned of attacks targeting Internet-connected UPS devices, urging users to take immediate action to block attacks and protect their devices.