CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
30.1%
Successful exploitation of this vulnerability could allow elevation of privileges which could result in arbitrary file deletion with system privileges.
Schneider Electric reports that the following versions of Easy UPS Online Monitoring Software are affected:
Server 2016, 2019, 2022): 2.6-GA-01-23116 and prior
3.2.1 Path Traversal CWE-22
A path traversal vulnerability exists that could cause arbitrary file deletion upon service restart when accessed by a local and low-privileged attacker.
CVE-2023-6407 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H).
06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 working with Trend Micro Zero Day Initiative and Tenable Network Security reported this vulnerability to CISA.
Version 2.6-GA-01-23248 of Easy UPS Online Monitoring Software includes a fix for the vulnerabilities for Microsoft supported versions of Windows 10, 11, Windows Server 2016, 2019 & 2022 and is available for download.
The Easy UPS Online Monitoring Software has been discontinued coinciding with the discontinuation of the Easy UPS Online SNMP Cards (APV9601, APVS9601) managed by this software.
Schneider Electric recommends that users currently using Easy UPS Online Monitoring Software to manage Easy UPS Online (SRV/SRVS) should transition to PowerChute Serial Shutdown for serial/USB shutdown and monitoring; and to PowerChute Network Shutdown for network shutdown and monitoring. For more information about PowerChute software please see the following:
Schneider Electric strongly recommends users follow cybersecurity industry best practices, including:
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6407
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-23-346-01
cwe.mitre.org/data/definitions/22.html
download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-346-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-346-03.pdf
github.com/cisagov/CSAF
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Schneider%20Electric%20Easy%20UPS%20Online%20Monitoring%20Software+https://www.cisa.gov/news-events/ics-advisories/icsa-23-346-01
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.apc.com/pcns
www.apc.com/pcss
www.apc.com/us/en/faqs/FAQ000260058/
www.cisa.gov/resources-tools/resources/ics-recommended-practices
www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
www.cisa.gov/topics/industrial-control-systems
www.cisa.gov/topics/industrial-control-systems
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.cisa.gov/uscert/ncas/tips/ST04-014
www.cisa.gov/uscert/sites/default/files/publications/emailscams0905.pdf
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-23-346-01&title=Schneider%20Electric%20Easy%20UPS%20Online%20Monitoring%20Software
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-23-346-01
www.oig.dhs.gov/
www.se.com/us/en/download/document/7EN52-0390/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Schneider%20Electric%20Easy%20UPS%20Online%20Monitoring%20Software&body=www.cisa.gov/news-events/ics-advisories/icsa-23-346-01