Three critical Zero Day vulnerabilities have been uncovered in popular uninterruptible power supply APC-SMART UPS devices. They could be exploited and used to bring down infrastructure and even cause physical harm. A malicious actor could exploit these flaws and cause severe service disruptions, data loss, and even lead to a potential injury.
Researchers from Armis Labs recently found a flaw in APC Smart-UPS, which could be catastrophic for millions of businesses around the world. A subsidiary of Schneider Electric, APC is one of the leading suppliers of UPS devices worldwide. These devices are essential for companies that require high availability, such as hospitals. The flaw has been dubbed TLStorm and is a result of an unprotected remote management interface.
Cybersecurity researchers are warning businesses to prepare for digital disasters. There’s a high risk of cyber and physical damage if the vulnerabilities are exploited, according to a report published online on Tuesday. A global impact is possible.
Using TLStorm, attackers can remotely take over your devices and use them to gain access to your internal network and steal your data. Moreover, they can cut power to mission-critical appliances or business services to cause physical injury or disrupt business services.
Researchers said in the report: “The latest APC Smart-UPS models are controlled through a cloud connection, and a bad actor who successfully exploits TLStorm vulnerabilities could remotely take over devices from the internet without any user interaction or the user ever knowing about it,”
An attacker can exploit these flaws to gain code execution on a device, which in turn could lead to physical damage of the device itself or other connected assets. Schneider Electric worked with Armis Inc. to create patches for the vulnerabilities on its website. The patches are available on the Schneider Electric website. So far, there is no indication that the vulnerabilities have been exploited.
The TLStorm Vulnerabilities
The first bug, CVE-2022-22805, is a buffer overflow that can lead to remote code execution (RCE).
The second bug, CVE-2022-22806 is a TLS authentication bypass that can also lead to RCE. Both received a severity rating of 9.0 on the Common Vulnerability Scoring System (CVSS) scale.
The discovery of vulnerabilities in APC Smart UPS devices also underscores the need for organizations to protect against security threats. Plus, it emphasizes the volatility of devices within enterprise networks responsible for power reliability and other critical infrastructure. These vulnerabilities must be handled immediately by businesses using APC Smart UPS devices.