Zero-Click Flaws in Widely Used UPS Devices Threaten Critical Infratructure

The ‘TLStorm’ vulnerabilities, found in APC Smart-UPS products, could allow attackers to cause both cyber and physical damage by taking down critical infrastructure.

Three critical security vulnerabilities in widely used smart uninterruptible power supply (UPS) devices could allow for remote takeover, meaning that malicious actors could cause business disruptions, data loss and even physical harm to critical infrastructure, researchers have found.

Researchers at Armis Research Labs discovered the flaws, which they’ve dubbed TLStorm, in APC Smart-UPS devices, which number about 20 million in deployment worldwide. APC is a subsidiary of Schneider Electric, one of the leading vendors of UPS devices. UPS devices provide emergency backup power for mission-critical assets that require high availability.

The risk for widespread disruption and damage in both the cyber and physical worlds is high if the vulnerabilities are exploited, researchers said in a report published online on Tuesday — and could have an impact on a global scale.

By exploiting TLStorm, attackers could remotely take over the devices and use them to breach a company’s internal network and steal data. Moreover, by cutting power for mission-critical appliances or services, attackers also could cause physical injury or disrupt business services,

Read More: