Security News > 2023 > April > APC warns of critical unauthenticated RCE flaws in UPS software
APC's Easy UPS Online Monitoring Software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take over devices and, in a worst-case scenario, disabling its functionality altogether.
While denial-of-service flaws are generally not considered very dangerous, as many UPS devices are located in data centers, the consequences of such an outage are magnified as it could block the remote management of devices.
Currently, the only mitigation for customers with direct access to their Easy UPS units is to upgrade to the PowerChute Serial Shutdown software suite on all servers protected by your Easy UPS OnLine, which provides serial shutdown and monitoring.
General security recommendations provided by the vendor include placing mission-critical internet-connected devices behind firewalls, utilizing VPNs for remote access, implementing strict physical access controls, and avoiding leaving devices in "Program" mode.
Recent research focusing on APC products revealed dangerous flaws collectively called 'TLStorm,' which could give hackers control of vulnerable and exposed UPS devices.
Soon after the publication of TLStorm, CISA warned of attacks targeting internet-connected UPS devices, urging users to take immediate action to block the attacks and protect their devices.
News URL
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Veeam warns of critical RCE bug in Service Provider Console (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)