Security News > 2023 > April > APC warns of critical unauthenticated RCE flaws in UPS software

APC's Easy UPS Online Monitoring Software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take over devices and, in a worst-case scenario, disabling its functionality altogether.

While denial-of-service flaws are generally not considered very dangerous, as many UPS devices are located in data centers, the consequences of such an outage are magnified as it could block the remote management of devices.

Currently, the only mitigation for customers with direct access to their Easy UPS units is to upgrade to the PowerChute Serial Shutdown software suite on all servers protected by your Easy UPS OnLine, which provides serial shutdown and monitoring.

General security recommendations provided by the vendor include placing mission-critical internet-connected devices behind firewalls, utilizing VPNs for remote access, implementing strict physical access controls, and avoiding leaving devices in "Program" mode.

Recent research focusing on APC products revealed dangerous flaws collectively called 'TLStorm,' which could give hackers control of vulnerable and exposed UPS devices.

Soon after the publication of TLStorm, CISA warned of attacks targeting internet-connected UPS devices, urging users to take immediate action to block the attacks and protect their devices.

News URL

https://www.bleepingcomputer.com/news/security/apc-warns-of-critical-unauthenticated-rce-flaws-in-ups-software/