CVE-2022-22805
📋 TL;DR
This CVE describes a critical buffer overflow vulnerability in Schneider Electric SmartConnect UPS devices that allows remote code execution when processing malformed TLS packets. Attackers can exploit this to take complete control of affected UPS systems. The vulnerability affects multiple UPS series with firmware versions prior to specific updates.
💻 Affected Systems
- SMT Series UPS
- SMC Series UPS
- SMTL Series UPS
- SCL Series UPS
- SMX Series UPS
📦 What is this software?
Scl Series 1029 Ups Firmware by Schneider Electric
Scl Series 1030 Ups Firmware by Schneider Electric
Scl Series 1036 Ups Firmware by Schneider Electric
Scl Series 1037 Ups Firmware by Schneider Electric
Smc Series 1018 Ups Firmware by Schneider Electric
Smt Series 1015 Ups Firmware by Schneider Electric
Smtl Series 1026 Ups Firmware by Schneider Electric
Smx Series 1031 Ups Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker gains full system control, executes arbitrary code, disrupts power management, and pivots to other network systems.
Likely Case
Remote code execution leading to UPS device compromise, potential power disruption, and network foothold for further attacks.
If Mitigated
If properly segmented and patched, impact limited to UPS device itself with no network propagation.
🎯 Exploit Status
Buffer overflow via TLS packet reassembly requires crafting specific malformed packets but no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See vendor advisory for specific firmware updates per product series
Vendor Advisory: https://www.se.com/ww/en/download/document/SEVD-2022-067-02/
Restart Required: Yes
Instructions:
1. Identify UPS model and Series ID. 2. Download appropriate firmware update from Schneider Electric portal. 3. Apply firmware update following vendor instructions. 4. Reboot UPS device.
🔧 Temporary Workarounds
Network Segmentation
allIsolate UPS devices on separate VLAN with strict firewall rules limiting access to management interfaces.
TLS Inspection Blocking
allConfigure network devices to inspect and block malformed TLS packets targeting UPS management ports.
🧯 If You Can't Patch
- Segment UPS devices on isolated network with no internet access
- Implement strict firewall rules allowing only necessary management traffic from trusted sources
🔍 How to Verify
Check if Vulnerable:
Check UPS firmware version via management interface or Schneider Electric management software against affected versions list.Check Version:
Use Schneider Electric management software or web interface to check firmware versionVerify Fix Applied:
Confirm firmware version has been updated to patched version via management interface.📡 Detection & Monitoring
Log Indicators:
- Multiple failed TLS handshake attempts
- Unexpected device reboots
- Unusual network traffic to UPS management ports
Network Indicators:
- Malformed TLS packets to UPS management ports (typically 443/TLS)
- Unexpected outbound connections from UPS devices
SIEM Query:
source_ip="UPS_IP" AND (port=443 OR port=8443) AND (tls.handshake.failed OR packet.size>threshold)