Advisory Details

June 11th, 2024

Schneider Electric APC Easy UPS Online startRun Exposed Dangerous Method Remote Code Execution Vulnerability

CVE ID
CVSS SCORE	9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AFFECTED VENDORS	Schneider Electric
AFFECTED PRODUCTS	APC Easy UPS Online
VULNERABILITY DETAILS	This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric APC Easy UPS Online. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SchneiderUPS.exe desktop application. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to execute code in the context of the current user.
ADDITIONAL DETAILS	Fixed in The APC Easy UPS Online Monitoring Software v2.5-GA-01-23116 https://download.schneider-electric.com/files?p_Doc_Ref=SPD_CCON-APCMONREL_EN&p_enDocType=Quick+start+guide&p_File_Name=APC+Easy+UPS+Online+Monitoring+Software+Release+Notes+-+2.6-GA-01-23116.pdf
DISCLOSURE TIMELINE	2023-06-07 - Vulnerability reported to vendor 2024-06-11 - Coordinated public release of advisory 2024-08-15 - Advisory Updated
CREDIT	Anonymous

BACK TO ADVISORIES