CVE-2022-42972
📋 TL;DR
This vulnerability allows local attackers to escalate privileges by modifying the webroot directory due to incorrect permissions. It affects APC and Schneider Electric Easy UPS Online Monitoring Software on Windows systems. Attackers must have local access to exploit this flaw.
💻 Affected Systems
- APC Easy UPS Online Monitoring Software
- Schneider Electric Easy UPS Online Monitoring Software
📦 What is this software?
Apc Easy Ups Online Monitoring Software by Schneider Electric
View all CVEs affecting Apc Easy Ups Online Monitoring Software →
Apc Easy Ups Online Monitoring Software by Schneider Electric
View all CVEs affecting Apc Easy Ups Online Monitoring Software →
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM/administrator privileges, enabling complete system compromise, data theft, malware installation, or persistence mechanisms.
Likely Case
Local user with standard privileges escalates to administrative rights, allowing unauthorized software installation, configuration changes, or access to sensitive system resources.
If Mitigated
With proper access controls and least privilege principles, impact is limited to the specific application's context rather than full system compromise.
🎯 Exploit Status
Exploitation requires local access but appears straightforward based on the CWE-732 description. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V2.5-GA, V2.5-GA-01-22261, V2.5-GS, V2.5-GS-01-22261 or later
Restart Required: Yes
Instructions:
1. Download the updated software version from Schneider Electric/APC website. 2. Uninstall the vulnerable version. 3. Install the patched version. 4. Restart the system.
🔧 Temporary Workarounds
Restrict webroot directory permissions
windowsManually adjust permissions on the Easy UPS webroot directory to prevent unauthorized modifications
icacls "C:\Program Files\APC\Easy UPS Online Monitoring\webroot" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)(W)"
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to systems running the vulnerable software
- Monitor for unauthorized privilege escalation attempts and file permission changes in the webroot directory
🔍 How to Verify
Check if Vulnerable:
Check installed version via Control Panel > Programs and Features or by running the software and checking the About sectionCheck Version:
wmic product where "name like '%Easy UPS Online Monitoring%'" get versionVerify Fix Applied:
Verify version is V2.5-GA, V2.5-GA-01-22261, V2.5-GS, V2.5-GS-01-22261 or later, and check webroot directory permissions are properly restricted📡 Detection & Monitoring
Log Indicators:
- Unexpected permission changes to webroot directory
- Privilege escalation events in Windows Security logs
- Unauthorized access attempts to Easy UPS directories
Network Indicators:
- Not applicable - local exploitation only
SIEM Query:
EventID=4672 OR EventID=4688 AND ProcessName LIKE '%Easy UPS%' OR FilePath LIKE '%webroot%' AND AccessMask='WRITE_DAC' OR 'WRITE_OWNER'🔗 References
- https://download.schneider-electric.com/files?p_Doc_SEVD-2022-347-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-347-01_Easy_UPS_Online_Monitoring_Software_Security_Notification.pdf
- https://download.schneider-electric.com/files?p_Doc_SEVD-2022-347-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-347-01_Easy_UPS_Online_Monitoring_Software_Security_Notification.pdf
