Zero-Click Flaws in Widely Used UPS Devices Threaten Critical Infratructure

2022-03-08 15:14

Three critical security vulnerabilities in widely used smart uninterruptible power supply devices could allow for remote takeover, meaning that malicious actors could cause business disruptions, data loss and even physical harm to critical infrastructure, researchers have found.

APC is a subsidiary of Schneider Electric, one of the leading vendors of UPS devices.

An attacker can exploit the flaws to gain code execution on a device, which in turn could be used to alter the operation of the UPS to physically damage the device itself or other assets connected to it, researchers said.

There is precedence for attackers targeting UPS devices, among others, to take down critical infrastructure.

The discovery of TLStorm vulnerabilities also underscores the volatility of devices within enterprise networks that are responsible for power reliability and other critical infrastructure, researchers noted.

Network administrators also can deploy access control lists in which the UPS devices are only allowed to communicate with a small set of management devices and the Schneider Electric Cloud via encrypted communications, researchers added.

News URL

https://threatpost.com/zero-click-flaws-ups-critical-infratructure/178810/

#critical #UPS