SEVD-2023-346-03 | Schneider Electric Security Notification

Vulnerability in the Easy UPS Online Monitoring Software. This software is utilized for configuring and managing Easy UPS products. The identified vulnerability, if not properly remediated, poses a risk of privilege elevation, potentially leading to arbitrary file deletion with system privileges.

Key details of the vulnerability include:

  • Affected Products: Easy UPS Online Monitoring Software, versions 2.6-GA-01-23116 and prior, compatible with Windows 10, 11, and Windows Server 2016, 2019, 2022.
  • CVE ID: CVE-2023-6407.
  • Severity: Medium, with a CVSS v3.1 Base Score of 5.3.
  • Nature of Vulnerability: It is a CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ‘Path Traversal’) vulnerability that could result in arbitrary file deletion upon service restart when accessed by a local and low-privileged attacker.

Remediation steps include:

  1. Upgrading to version 2.6-GA-01-23248 of the Easy UPS Online Monitoring Software, which includes a fix for this vulnerability.
  2. Transitioning to PowerChute Serial Shutdown for serial/USB shutdown and monitoring, and PowerChute Network Shutdown for network shutdown and monitoring, especially since the Easy UPS Online Monitoring Software has been discontinued.

For more information, users are advised to visit Schneider Electric’s cybersecurity support portal and contact their local representatives or Schneider Electric Industrial Cybersecurity Services.