International Cyber Expo International Cyber Expo
  • About Us
Friday, 17 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

TLStorm: Armis finds Three Critical Zero-Days in APC Smart-UPS devices that could impact over 7 in 10 organisations worldwide

Vulnerabilities found in widely-used Uninterruptible Power Supplies could allow attackers to bypass security features and remotely take over or damage critical industrial, medical, and enterprise devices

by Guru Writer
March 8, 2022
in Featured, Industrial Internet of Things, Research
TLStorm: Armis finds Three Critical Zero-Days in APC Smart-UPS devices that could impact over 7 in 10 organisations worldwide
Share on FacebookShare on Twitter

 

Armis, unified asset visibility and security company, announced the discovery of three zero-day vulnerabilities in APC Smart-UPS devices that can allow attackers to gain remote access. If exploited, these vulnerabilities, collectively known as TLStorm, allow threat actors to disable, disrupt, and even destroy APC Smart-UPS devices and attached assets, researchers have warned.

 

Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical assets in data centres, industrial facilities, hospitals, and more. APC is a subsidiary of Schneider Electric and is one of the leading vendors of UPS devices, with over 20 million devices sold worldwide. 

 

“Until recently, assets, such as UPS devices, were not perceived as security liabilities. However, it has become clear that security mechanisms in remotely managed devices have not been properly implemented, meaning that malicious actors will be able to use those vulnerable assets as an attack vector,” said Barak Hadad, Head of Research, Armis. “It is vital that security professionals have complete visibility of all assets, along with the ability to monitor their behaviour, to identify exploitation attempts of vulnerabilities such as TLStorm.”

 

Enterprise Risk Exposure

For this research, Armis investigated APC Smart-UPS devices and their remote management and monitoring services due to the widespread use of APC UPS devices in its customer environments. The latest models use a cloud connection for remote management. Armis researchers found that an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the Internet without any user interaction or signs of attack.

 

The discovered vulnerabilities include two critical vulnerabilities in the TLS implementation used by cloud-connected Smart-UPS devices and a third high-severity vulnerability, a design flaw, in which firmware upgrades of most Smart-UPS devices are not correctly signed or validated.

 

Two of the vulnerabilities involve the TLS connection between the UPS and the Schneider Electric cloud, the company said in its press release. Devices that support the SmartConnect feature automatically establish a TLS connection upon startup or whenever cloud connections are temporarily lost. Attackers can trigger the vulnerabilities via unauthenticated network packets without any user interaction. the vulnerabilities include:

 

  • CVE-2022-22805 – (CVSS 9.0) TLS buffer overflow: A memory corruption bug in packet reassembly (RCE).
  • CVE-2022-22806 – (CVSS 9.0) TLS authentication bypass: A state confusion in the TLS handshake leads to authentication bypass, leading to remote code execution (RCE) using a network firmware upgrade.

 

The third vulnerability is a design flaw in which the firmware updates on affected devices are not cryptographically signed in a secure manner. As a result, an attacker could craft malicious firmware and install it using various paths, including the Internet, LAN, or a USB thumb drive. This modified firmware could allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network to launch additional attacks. 

 

  • CVE-2022-0715 – (CVSS 8.9) Unsigned firmware upgrade that can be updated over the network (RCE).

 

Abusing flaws in firmware upgrade mechanisms is becoming a standard practice of APTs, as has been recently detailed in the analysis of the Cyclops Blink malware, and improper signing of firmware is a recurring flaw in various embedded systems. For example, a previous vulnerability discovered by Armis in Swisslog PTS systems (PwnedPiper, CVE-2021-37160) resulted from a similar type of flaw.

 

“TLStorm vulnerabilities occur in cyber-physical systems that bridge our digital and physical worlds, giving cyberattacks the possibility of real-world consequences,” said Yevgeny Dibrov, CEO and Co-founder of Armis. “The Armis platform addresses this hyper-connected reality, where one compromised identity and device can open the door to cyberattacks, and the security of every asset has become foundational to protect business continuity and brand reputation. Our ongoing research secures organisations by providing 100% complete visibility of their IT, cloud, IoT, OT, IoMT,  5G, and edge assets.”

 

Updates and Mitigations

Schneider Electric worked in collaboration with Armis on this matter, and customers were notified and issued patches to address the vulnerabilities. To the best of both companies’ knowledge, there is no indication the TLStorm vulnerabilities have been exploited.

Organisations deploying APC Smart-UPS devices should patch impacted devices immediately. More information can be found in the Schneider Electric security advisory here. 

 

Armis customers can immediately identify APC Smart-UPS devices that are vulnerable in their environments and begin remediation. 

 

Research Presentations

Armis experts will discuss the TLStorm research during the following virtual and in-person events:

  • Webinar (Wednesday, March 30, 1:00 p.m. EST): Lightning from the Cloud
  • LinkedIn Live (Thursday, March 10, 2022, 12:00 p.m. EST): Lightning from the Cloud
  • Nullcon Berlin 2022 (April 5-9, 2022) – Finding and Exploiting Critical Bugs in TLS Libraries used by “Smart” UPS Devices 
  • Black Hat Asia 2022 (May 10-13, 2022) – Like Lightning From the Cloud: Finding RCEs in an Embedded TLS Library and Toasting a Popular Cloud-connected UPS 

 

ShareTweet
Previous Post

Samsung Source Codes Stolen

Next Post

Chinese phishing accounts are targeting EU diplomats

Recent News

CISOs say boardrooms still don’t grasp the human cyber risk AI is supercharging

CISOs say boardrooms still don’t grasp the human cyber risk AI is supercharging

July 17, 2026
AI Appreciation Day: Security Leaders Say the Celebration Needs an Asterisk

AI Appreciation Day: Security Leaders Say the Celebration Needs an Asterisk

July 16, 2026
Q&A: Businesses Are Running Out of Time to Prepare for the Quantum Threat, Warns Moona Ederveen-Schneider

Q&A: Businesses Are Running Out of Time to Prepare for the Quantum Threat, Warns Moona Ederveen-Schneider

July 15, 2026
Proton Launches Business Continuity Service to Keep Firms Communicating Through Outages

Proton Launches Business Continuity Service to Keep Firms Communicating Through Outages

July 15, 2026

Eskenzi PR banner ad

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol