Security News > 2022 > March > Millions of APC Smart-UPS devices vulnerable to TLStorm

Millions of APC Smart-UPS devices vulnerable to TLStorm
2022-03-09 12:29

If you're managing a smart model from ubiquitous uninterrupted power supply device brand APC, you need to apply updates now - a set of three critical zero-day vulnerabilities are making Smart-UPS devices a possible entry point for network infiltration.

The vulnerabilities, dubbed "TLStorm" were found in Schneider Electric's APC Smart-UPS products by security firm Armis, which made the info public on Tuesday.

The affected UPSes - ranging across 10 product lines listed here [PDF] - cater to small to medium businesses, providing backup power in emergency situations.

An exploitation could result in weaponized power outages or surges of battery function affecting both the power supply and other connected systems, as well as breaches of company data or installed malware.

Notably, and topically, threat actors attacked the Ukrainian power grid in 2015.

"Schneider Electric is aware of the vulnerabilities associated with APC Smart-UPS uninterruptible power supply devices which, if compromised, may allow for potential unauthorized access and control of the device," said Schneider Electric, adding that it was working to develop remediations and mitigations, as well as disclose to customers and end-users.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/09/tlstorm_apc_ups_critical_zero_days/