CVE-2022-0715

Summary

CVE	CVE-2022-0715
State	PUBLISHED
Assigner	schneider
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-03-09 20:15:08 UTC
Updated	2026-05-29 15:16:20 UTC
Description	A CWE-287: Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS when a key is leaked and used to upload malicious firmware. Affected Product: APC Smart-UPS Family: SMT Series (SMT Series ID=18: UPS 09.8 and prior / SMT Series ID=1040: UPS 01.2 and prior / SMT Series ID=1031: UPS 03.1 and prior), SMC Series (SMC Series ID=1005: UPS 14.1 and prior / SMC Series ID=1007: UPS 11.0 and prior / SMC Series ID=1041: UPS 01.1 and prior), SCL Series (SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior), SMX Series (SMX Series ID=20: UPS 10.2 and prior / SMX Series ID=23: UPS 07.0 and prior), SRT Series (SRT Series ID=1010/1019/1025: UPS 08.3 and prior / SRT Series ID=1024: UPS 01.0 and prior / SRT Series ID=1020: UPS 10.4 and prior / SRT Series ID=1021: UPS 12.2 and prior / SRT Series ID=1001/1013: UPS 05.1 and prior / SRT Series ID=1002/1014: UPSa05.2 and prior), APC SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC Series ID=1018: UPS 04.2 and prior), SMTL Series (SMTL Series ID=1026: UPS 02.9 and prior), SCL Series (SCL Series ID=1029: UPS 02.5 and prior / SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior / SCL Series ID=1037: UPS 03.1 and prior), SMX Series (SMX Series ID=1031: UPS 03.1 and prior)

Risk And Classification

Primary CVSS: v3.1 9.1 CRITICAL from [email protected]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Problem Types: CWE-287 | CWE-345 | CWE-287 CWE-287 Improper Authentication

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	9.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H`
3.1	ADP	DECLARED	8.9	HIGH	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H`
3.1	134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	8.9	HIGH	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H`
2.0	[email protected]	Primary	6.4		`AV:N/AC:L/Au:N/C:N/I:P/A:P`

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVSS v2.0 Breakdown

Access Vector

Network

Access Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Partial

AV:N/AC:L/Au:N/C:N/I:P/A:P

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Schneider-electric	Scl Series 1029 Ups	-	All	All	All
Operating System	Schneider-electric	Scl Series 1029 Ups Firmware	All	All	All	All
Hardware	Schneider-electric	Scl Series 1030 Ups	-	All	All	All
Operating System	Schneider-electric	Scl Series 1030 Ups Firmware	All	All	All	All
Hardware	Schneider-electric	Scl Series 1036 Ups	-	All	All	All
Operating System	Schneider-electric	Scl Series 1036 Ups Firmware	All	All	All	All
Hardware	Schneider-electric	Scl Series 1037 Ups	-	All	All	All
Operating System	Schneider-electric	Scl Series 1037 Ups Firmware	All	All	All	All
Hardware	Schneider-electric	Smc Series 1005 Ups	-	All	All	All
Operating System	Schneider-electric	Smc Series 1005 Ups Firmware	All	All	All	All
Hardware	Schneider-electric	Smc Series 1007 Ups	-	All	All	All
Operating System	Schneider-electric	Smc Series 1007 Ups Firmware	All	All	All	All
Hardware	Schneider-electric	Smc Series 1018 Ups	-	All	All	All
Operating System	Schneider-electric	Smc Series 1018 Ups Firmware	All	All	All	All
Hardware	Schneider-electric	Smc Series 1041 Ups	-	All	All	All
Operating System	Schneider-electric	Smc Series 1041 Ups Firmware	All	All	All	All
Hardware	Schneider-electric	Smtl Series 1026 Ups	-	All	All	All
Operating System	Schneider-electric	Smtl Series 1026 Ups Firmware	All	All	All	All
Hardware	Schneider-electric	Smt Series 1015 Ups	-	All	All	All
Operating System	Schneider-electric	Smt Series 1015 Ups Firmware	All	All	All	All
Hardware	Schneider-electric	Smt Series 1031 Ups	-	All	All	All
Operating System	Schneider-electric	Smt Series 1031 Ups Firmware	All	All	All	All
Hardware	Schneider-electric	Smt Series 1040 Ups	-	All	All	All
Operating System	Schneider-electric	Smt Series 1040 Ups Firmware	All	All	All	All
Hardware	Schneider-electric	Smt Series 18 Ups	-	All	All	All
Operating System	Schneider-electric	Smt Series 18 Ups Firmware	All	All	All	All
Hardware	Schneider-electric	Smx Series 1031 Ups	-	All	All	All
Operating System	Schneider-electric	Smx Series 1031 Ups Firmware	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Schneider Electric	APC Smart-UPS	affected SMT Series	Not specified
CNA	Schneider Electric	APC Smart-UPS	affected SMC Series	Not specified
CNA	Schneider Electric	APC Smart-UPS	affected SCL Series	Not specified
CNA	Schneider Electric	APC Smart-UPS	affected SMX Series	Not specified
CNA	Schneider Electric	APC Smart-UPS	affected SRT Series	Not specified
CNA	Schneider Electric	SmartConnect	affected SMT Series	Not specified
CNA	Schneider Electric	SmartConnect	affected SMC Series	Not specified
CNA	Schneider Electric	SmartConnect	affected SMTL Series	Not specified
CNA	Schneider Electric	SmartConnect	affected SCL Series	Not specified
CNA	Schneider Electric	SmartConnect	affected SMX Series	Not specified

References

Reference	Source	Link	Tags
Security Notification - APC Smart-UPS SMT, SMC, SMX, SCL, SMTL and SRT Series Security and Safety Notice \| Schneider Electric	af854a3a-2127-422b-91ae-364da2661108	www.se.com	Vendor Advisory
CONFIRM:N/A	MITRE	download.schneider-electric.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

590751 Schneider Electric APC Smart-UPS SMT, SMC, SMX, SCL, SMTL and SRT Series Multiple Vulnerabilities (SEVD-2022-067-02)