Multiple Vulnerabilities in APC Easy UPS Online Monitoring Software

APC Easy UPS Online Monitoring Software, produced by Schneider Electric, is affected by two Critical severity vulnerabilities and one High severity vulnerability

Threat ID:: CC-4309
Threat Severity:: Medium
Published:: 25 April 2023 3:34 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

APC Easy UPS Online Monitoring Software, produced by Schneider Electric, is affected by two Critical severity vulnerabilities and one High severity vulnerability

Affected platforms

The following platforms are known to be affected:

Versions: V2.5-GA-01-22320 and prior

APC Easy UPS Online Monitoring Software

Threat details

Introduction

Schneider Electric has released a security notification regarding three vulnerabilities affecting APC Easy UPS Online Monitoring Software. Two of the vulnerabilities are classified as Critical and could allow remote code execution by an unauthenticated attacker. The third vulnerability is classified as High severity and could result in a denial-of-service condition, if exploited by an unauthenticated attacker.

Remediation advice

Affected organisations are encouraged to review Schnieder Electric's security notification and apply the relevant updates.

Definitive source of threat updates

https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp

CVE Vulnerabilities

Status Published

CVE-2023-29411

A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface.

Status Published

CVE-2023-29412

A CWE-78: Improper Handling of Case Sensitivity vulnerability exists that could cause remote code execution when manipulating internal methods through Java RMI interface.

Status Published

CVE-2023-29413

A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor service.

Last edited: 25 April 2023 3:34 pm