Information Exposure Vulnerability in Schneider Electric UPS and Power Distribution Products
CVE-2021-22815

5.3MEDIUM

Key Information:

Vendor: Schneider Electric
Status: Network Management Card 2 Firmware
Vendor: CVE Published:; 28 January 2022

Summary

An information exposure vulnerability allows unauthorized access to sensitive troubleshooting archives in various Schneider Electric Uninterruptible Power Supply (UPS) products and associated Network Management Card systems. This flaw primarily affects multiple models of Smart-UPS, Symmetra, Galaxy, and APC Power Distribution Units using NMC2 and NMC3, potentially exposing critical operational data. Users may inadvertently disclose sensitive information due to misconfigured access controls, which could be exploited by attackers to gain deeper insight into system configurations and operations. Proper security practices and updates are essential to mitigate risks associated with this vulnerability.

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 28, 2022
Vulnerability Reserved
Jan 6, 2021