International Cyber Expo International Cyber Expo
  • About Us
Tuesday, 14 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Positive Technologies uncovers critical vulnerabilities in APC uninterrupted power supplies

by The Gurus
April 23, 2018
in Editor's News
Share on FacebookShare on Twitter

Positive Technologies experts Ilya Karpov, Evgeny Druzhinin, and Stephen Nosov have discovered four vulnerabilities in management cards for APC by Schneider Electric hardware. These uninterrupted power supply (UPS) units are used in various sectors. Two of the vulnerabilities received the maximum possible CVSS v3 score of 10, indicating a very high degree of risk.  

 

Security issues were found in APC MGE SNMP/Web Card Transverse 66074 management cards, which are present in several series of UPS units: Galaxy 5000/6000/9000, EPS 7000/8000/6000, Comet UPS/3000, Galaxy PW/3000/4000, and STS (Upsilon and Epsilon).[1]

 

The first vulnerability, CVE-2018-7243 (score 10), in the built-in web server (port 80/443/TCP) allows a remote attacker to bypass the authentication system and obtain full administrative access to the UPS, which jeopardizes the continued uptime of equipment connected to electrical power.

 

Schneider Electric recommends replacing vulnerable management cards with NMC kit G5K9635CH on the Galaxy 5000, Galaxy 6000, and Galaxy 9000. For the MGE EPS 7000 and MGE EPS 8000, the vendor recommends installing NMC kit G9KEPS9635CH. For other affected units, no replacement cards are available. The vendor also recommends following cybersecurity best practices in order to minimize risks.

 

The second vulnerability found in the built-in web server (port 80/443/TCP) enables an attacker to obtain sensitive information about the UPS unit (CVE-2018-7244, score 5.3).

 

Exploitation of the third vulnerability (CVE-2018-7245, score 7.3) can result in an unauthorized user changing the settings of the device, including disable parameters. To address these two vulnerabilities, users must, on the access control page, enable authentication for all HTML pages (this can be selected by the user during initial setup of the UPS).

 

With the fourth vulnerability (CVE-2018-7246, score 10), a remote attacker can intercept administrator account credentials. If SSL is not activated on the UPS, account credentials are sent in cleartext when the access control page is requested. The vendor advises specifying SSL as the default mode and applying special precautions to limit access to administration interfaces, such as by using Modbus RTU in combination with a Modbus/SNMP gateway.

 

For early detection of cyberincidents and awareness of ICS vulnerabilities, Positive Technologies offers PT ISIM and MaxPatrol for the specific needs of industrial protocols and networks.

Tags: CybersecurityTechnology
ShareTweet
Previous Post

The importance of inspecting encrypted traffic

Next Post

The digital gold rush: the dark side of cryptocurrency adds to the infosec challenge

Recent News

Forescout Uncovers AI Assisted Phishing Campaign Using Fake eCards

Forescout Uncovers AI Assisted Phishing Campaign Using Fake eCards

July 14, 2026
Lidl Confirms Data Breach After Third-Party IT Provider Hack

Lidl Confirms Data Breach After Third-Party IT Provider Hack

July 14, 2026
Black Duck Adds AI-Powered Triage and CRA-Ready Checks to Coverity Static Analysis

Black Duck Adds AI-Powered Triage and CRA-Ready Checks to Coverity Static Analysis

July 14, 2026
AI Appreciation Day: Celebrating Progress, Embracing Responsibility

AI has crossed from assistant to operator, Check Point research warns

July 14, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol