APC warns of critical unauthenticated RCE flaws in UPS software

APC's Easy UPS Online Monitoring Software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take over devices and, in a worst-case scenario, disabling its functionality altogether.

Uninterruptible Power Supply (UPS) devices are vital in safeguarding data centers, server farms, and smaller network infrastructures by ensuring seamless operation amidst power fluctuations or outages.

APC (by Schneider Electric) is one of the most popular UPS brands. Its products are widely deployed on both the consumer and corporate markets, including governmental, healthcare, industrial, IT, and retail infrastructure.

Earlier this month, the vendor published a security notification to warn about the following three flaws impacting its products:

While denial-of-service (DoS) flaws are generally not considered very dangerous, as many UPS devices are located in data centers, the consequences of such an outage are magnified as it could block the remote management of devices.

The above flaws impact:

The impact affects all Windows versions, including 10 and 11, and also Windows Server 2016, 2019, and 2022.

The recommended action for users of the impacted software is to upgrade to V2.5-GS-01-23036 or later, available for download from here (APC, SE).

Currently, the only mitigation for customers with direct access to their Easy UPS units is to upgrade to the PowerChute Serial Shutdown (PCSS) software suite on all servers protected by your Easy UPS OnLine (SRV, SRVL models), which provides serial shutdown and monitoring.

General security recommendations provided by the vendor include placing mission-critical internet-connected devices behind firewalls, utilizing VPNs for remote access, implementing strict physical access controls, and avoiding leaving devices in "Program" mode.

Recent research focusing on APC products revealed dangerous flaws collectively called ‘TLStorm,’ which could give hackers control of vulnerable and exposed UPS devices.

Soon after the publication of TLStorm, CISA warned of attacks targeting internet-connected UPS devices, urging users to take immediate action to block the attacks and protect their devices.

VMware fixes critical vulnerabilities in vRealize network analytics tool

Cisco won't fix zero-day RCE vulnerability in end-of-life VPN routers

D-Link fixes auth bypass and RCE flaws in D-View 8 software

Zyxel warns of critical vulnerabilities in firewall and VPN devices

FBI: Bl00dy Ransomware targets education orgs in PaperCut attacks