CVE-2022-31491

Description

The UPS management software normally allows a properly authenticated and authorized user using a web interface to configure the system to run a single OS command of the users choosing when the software detects a managed UPS is shutting down. A related critical underlying function is exposed over the network with no authentication or authorization allowing an attacker to use this to run arbitrary code immediately regardless of any managed UPS state or presence.

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-05

Details

Source: Mitre, NVD