Critical Vulnerabilities in Schneider Electric APC Easy UPS Online Monitoring Software

Schneider Electric has identified multiple critical vulnerabilities in their APC Easy UPS Online Monitoring Software, affecting versions up to and including v2.5-GA-01-22261 and Schneider Electric Easy UPS Online Monitoring Software version V2.5-GA-01-22320 and prior. These vulnerabilities are significant due to their high severity scores and the potential for remote exploitation.

Affected Products are Schneider Electric /APC Easy UPS Online Monitoring Software: v2.5-GA-01-22261 and prior

Vulnerability Overview

CVE-2023-29411(CVSS сcore 9.8) - Missing Authentication for Critical Function - This vulnerability allows changes to administrative credentials without requiring prior authentication on the Java RMI interface, potentially leading to remote code execution.

CVE-2023-29412 (CVSS сcore 9.8) - Improper Neutralization of Special Elements used in an OS Command - This OS Command Injection vulnerability could cause remote code execution when internal methods are manipulated through the Java RMI interface.

CVE-2023-29413 (CVSS сcore 7.5) - Missing Authentication for Critical Function - This vulnerability could cause a denial-of-service condition when accessed by an unauthenticated user on the Schneider UPS Monitor service.

Potential impact of these flaws are unauthenticated attackers can execute arbitrary commands or code remotely, can lead to a service disruption or DDoS or changes to administrative credentials without prior authentication.

Users are strongly recommended to update to the latest version of APC Easy UPS Online Monitoring Software that addresses these vulnerabilities.