April 25, 2023

APC Patches Critical UPS Software Vulnerabilities

APC has addressed critical security vulnerabilities discovered in Easy UPS Online Monitoring Software. Successful exploit of these vulnerabilities by a threat actor could lead to remote code execution (RCE) and a Denial-of-Service (DoS) attack.

The Vulnerabilities

• CVE-2023-29411 (CVSS score: 9.8, Critical) – Missing Authentication for Function Vulnerability.
  Successful exploit of this vulnerability could allow an unauthenticated threat actor to modify administration credentials.
  This could lead to remote code execution (RCE) via the Java RMI interface.
• CVE-2023-29412 (CVSS score: 9.8, Critical) – Improper Handling of Case Sensitivity Vulnerability.
  Successful exploit of this vulnerability could allow a threat actor to execute arbitrary code.
• CVE-2023-29413 (CVSS score: 7.5, High) – Missing Authentication for Critical Function Vulnerability.
  Successful exploit of this vulnerability could allow an unauthenticated threat actor to execute a Denial-of-Service (DoS) attack.

Affected Products

• APC Easy UPS Online Monitoring Software v2.5-GA-01-22320 and prior.
• Schneider Electric Easy UPS Online Monitoring Software v2.5-GA-01-22320 and prior.

Mitigation

CYREBRO recommends updating relevant products up to the latest version in compliance with Schneider Electric’s security portal.

References: Schneider Electric