APC, one of the leaders in backup power supply products are on the receiving end of three new vulnerabilities which may put millions of organizations at risk.

APC's smart uninterruptible power supply devices are commonly used in data centers, health care and industrial facilities as a safeguard against data loss during power outage events. They are sophisticated pieces of equipment with built-in network connectivity that allow for direct access to a management dashboard as well as a cloud integration in the newer models.

Researchers at Armis Labs discovered three critical vulnerabilities (Dubbed “TLStorm”) in the smart-UPS and SmartConnect devices that, if collectively exploited, could allow attackers to disable, alter and even destroy the units. A demonstration performed by Armis researchers can be viewed here, showing how units can be tampered with to the point where the device overheats and nearly catches fire.

Two of the three vulnerabilities exploit a flaw in the communication between the device and the cloud of the parent company (Schneider Electric). When communication to the device is lost, the Smart-UPS will attempt to reestablish connection; this is where attackers can trigger the vulnerabilities by sending unauthenticated packets to the device which allows them to bypass authentication. This is considered a “Zero-Click” attack as it does not require user interaction to be performed.

The third vulnerability affects the devices mechanism for upgrading firmware where the updates are not cryptographically signed, allowing the attacker to forge a malicious version of the firmware, which the device will automatically install when connection to the network is reestablished. This malicious firmware can be crafted to provide full access to the device and be used as a foothold in gaining further access to a network.

This discovery from Armis Labs depicts a new era of threats facing devices that both, regulate high voltage, and maintain a connection to the internet. Malicious actors could miniplate vulnerable devices and cause physical damage from a remote location. In the hit show Mr. Robot, (spoiler warning) an attack in striking resemblance to TLStorm was launched against a data center causing back up power units to overheat and explode. What was once a fictional scenario could now be a reality.

Schneider Electric have released a security notification outlining which models are affected and provide suggestions for users to remediate the issues. See below for affected versions as well as remediation strategy:

Affected models


Affected Version

Smart-UPS family

SMT Series

SMT Series ID=18: UPS 09.8 and prior
SMT Series ID=1040: UPS 01.2 and prior
SMT Series ID=1031: UPS 03.1 and prior

SMC Series

SMC Series ID=1005: UPS 14.1 and prior
SMC Series ID=1007: UPS 11.0 and prior
SMC Series ID=1041: UPS 01.1 and prior

SCL Series

SCL Series ID=1030: UPS 02.5 and prior
SCL Series ID=1036: UPS 02.5 and prior

SMX Series

SMX Series ID=20: UPS 10.2 and prior
SMX Series ID=23: UPS 07.0 and prior

SRT Series

SRT Series ID=1010/1019/1025: UPS 08.3 and prior
SRT Series ID=1024: UPS 01.0 and prior
SRT Series ID=1020: UPS 10.4 and prior
SRT Series ID=1021: UPS 12.2 and prior
SRT Series ID=1001/1013: UPS 05.1 and prior
SRT Series ID=1002/1014: UPSa05.2 and prior

SmartConnect Family

SMT Series

SMT Series ID=1015: UPS 04.5 and prior

SMC Series

SMC Series ID=1018: UPS 04.2 and prior

SMTL Series

SMTL Series ID=1026: UPS 02.9 and prior

SCL Series

SCL Series ID=1029: UPS 02.5 and prior SCL Series ID=1030: UPS 02.5 and prior SCL Series ID=1036: UPS 02.5 and prior SCL Series ID=1037: UPS 03.1 and prior

SMX Series

SMX Series ID=1031: UPS 03.1 and prior


Affected Products


Smart-UPS SMT and SMC Series
SmartConnect SMT and SMC Series

There are three ways to apply this remediation:

  • For units connected to the SmartConnect Portal, new firmware will become available automatically. Follow prompts via the portal or display to install new firmware.
  • For units not connected to the SmartConnect Portal, use the Firmware Upgrade Wizard to install the new firmware.
  • For those devices which include a NMC, it can be used to remotely update the firmware of the UPS.

When downloading updates, only download from the official Schneider Electric sources above and ensure that hashes are verified before installation.

Note: After the firmware is installed, the unit will lose the capability to install future firmware via the NMC. All other methods of firmware update will continue to be available. A future firmware update will be released to re-enable this feature

To verify new firmware version post-installation: Go to the About screen on local display, the SmartConnect portal, or on the NMC and confirm that the UPS firmware Revision is UPS 04.6 (SMT series) and UPS 04.3 (SMC series) In addition to the remediations above, customers should immediately apply the General Security Recommendations to reduce the risk of exploit.

Smart-UPS SCL, SMX, and SRT Series

SmartConnect SMTL, SCL, and SMX Series

Schneider Electric is establishing a remediation plan for Smart-UPS SCL, SMX, and SRT Series and SmartConnect SMTL, SCL, and SMX Series that will include fixes for these vulnerabilities. We will update this document when the remediation is available. Until then, customers should immediately apply the following mitigations provided below to reduce the risk of exploit:

Mitigations to reduce the risk of exploit

  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
  • Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
  • Never connect programming software to any network other than the network intended for that device.
  • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
  • Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

Source link