Schneider UPS Online Monitoring Software Vulnerability - 20230419002

Overview

Schneider Electric is aware of multiple vulnerabilities in its APC and Schneider Electric branded Easy UPS Online Monitoring Software.

A vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface.

What is the vulnerability?

Successful exploitation of these vulnerabilities could result in remote code execution, escalation of privileges, or authentication bypass, which then result in malicious web code execution or loss of device functionality.

CVE-2023-29411 - CVSS v3 Base Score: 9.8

CVE-2023-29412 - CVSS v3 Base Score: 9.8

CVE-2023-29413 - CVSS v3 Base Score: 7.5

What is vulnerable?

The vulnerability affects the following products:

• APC Easy UPS Online Monitoring Software: Version V2.5-GA-01-22320 and prior.
• Schneider Electric Easy UPS Online Monitoring Software: Version V2.5-GA-01-22320 and prior.

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices:

• APC Easy UPS Online Monitoring Software: Version 2.6-GA
• Schneider Electric Easy UPS Online Monitoring Software: Version 2.6-GS

Additional References

• https://www.cisa.gov/news-events/ics-advisories/icsa-23-108-02