CVE-2022-0715 — Improper Authentication in SCL Series 1029 UPS Firmware

CWE-287 — Improper Authentication CWE-345 — Insufficient Verification of Data Authenticity3 documents3 sources

Severity

9.1CRITICALNVD

EPSS

1.1%

top 22.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider-electric SCL Series 1029 UPS Firmware Schneider-electric SCL Series 1030 UPS Firmware Schneider-electric SCL Series 1036 UPS Firmware +32 more

Timeline

PublishedMar 9

Latest updateMar 10

Description

A CWE-287: Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS when a key is leaked and used to upload malicious firmware. Affected Product: APC Smart-UPS Family: SMT Series (SMT Series ID=18: UPS 09.8 and prior / SMT Series ID=1040: UPS 01.2 and prior / SMT Series ID=1031: UPS 03.1 and prior), SMC Series (SMC Series ID=1005: UPS 14.1 and prior / SMC Series ID=1007: UPS 11.0 and prior / SMC Series ID=1041: UPS 01.1 and prior), S…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages35 packages

▶NVDschneider-electric/smtl_series_1026_ups_firmware02.9

▶NVDschneider-electric/srt_series_1013_ups_firmware05.1

▶NVDschneider-electric/srt_series_1014_ups_firmwarea05.2

▶NVDschneider-electric/srt_series_1019_ups_firmware08.3

▶NVDschneider-electric/srt_series_1025_ups_firmware08.3

🔴Vulnerability Details

GHSA

GHSA-fxwp-hqgp-45qg: A CWE-287: Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS when a key is leake↗2022-03-10

▶

CVEList

CVE-2022-0715: A CWE-287: Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS when a key is leake↗2022-03-09

▶