Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Millions of APC Smart UPS Devices Can Be Remotely Hacked, Damaged

Uninterruptible power supply (UPS) products made by Schneider Electric subsidiary APC are affected by critical vulnerabilities that can be exploited to remotely hack and damage devices, according to enterprise device security company Armis.

Uninterruptible power supply (UPS) products made by Schneider Electric subsidiary APC are affected by critical vulnerabilities that can be exploited to remotely hack and damage devices, according to enterprise device security company Armis.

Armis researchers have identified three vulnerabilities in APC Smart-UPS devices, which they collectively named TLStorm.

APC says it has sold more than 20 million UPS devices worldwide and data from Armis shows that nearly 80% of companies are exposed to TLStorm attacks. UPS devices are used in data centers, hospitals and industrial facilities, and attacks targeting these systems can have serious consequences.

APC UPS vulnerabilitiesArmis researchers have analyzed the communications between the APC Smart-UPS devices and their remote management services, and discovered vulnerabilities in the TLS implementation and a design flaw related to firmware upgrades.

One security hole, tracked as CVE-2022-22806, has been described as a TLS authentication bypass issue that can lead to remote code execution. The second TLS-related flaw, CVE-2022-22805, has been described as a buffer overflow related to packet reassembly and it can also lead to remote code execution.

These vulnerabilities can be exploited remotely — including from the internet — by an unauthenticated attacker to “alter the operations of the UPS to physically damage the device itself or other assets connected to it,” Armis said.

The third vulnerability, CVE-2022-0715, is related to unsigned firmware updates. Due to the fact that firmware updates are not cryptographically signed, an attacker could create a malicious piece of firmware and install it from a USB drive, the network and even from the internet.

“This can allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network from which additional attacks can be carried,” Armis explained.

In an effort to demonstrate the potential impact of these vulnerabilities, the cybersecurity firm has developed a proof-of-concept (PoC) exploit that causes a UPS’s internal circuitry to heat up until smoke comes out and the device becomes completely bricked.

“Since the TLS attack vector can originate from the Internet, these vulnerabilities can act as a gateway to the internal corporate network,” Armis said. “Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall. They can then remotely update the UPS firmware and use the UPS as the entry point for a ransomware attack or any other type of malicious operation.”

In a security advisory released on Tuesday, Schneider Electric said the vulnerabilities, which have been classified as “critical” and “high severity,” impact SMT, SMC, SCL, SMX, SRT, and SMTL series products. The company has started releasing firmware updates that contain patches for these vulnerabilities. In the case of products for which firmware patches are not available, Schneider has provided a series of mitigations for reducing the risk of exploitation.

Related: Critical Vulnerability Can Be Exploited to Hack Schneider Electric’s Modicon PLCs

Related: Flaws in Pneumatic Tube System Can Facilitate Cyberattacks on North American Hospitals

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet