Finding APC assets vulnerable to TLStorm
Researchers at Armis recently published details on three new vulnerabilities affecting cloud-connected APC Smart-UPS devices manufactured by Schneider Electric. Dubbed “TLStorm”, two of these vulnerabilities exist in the firmware TLS implementation, while the third vulnerability exists in the firmware update process.
The disclosed CVEs for TLStorm include:
- CVE-2022-22806 (CVSS “critical” score of 9.9) - Authentication bypass via state confusion during TLS handshake
- CVE-2022-22805 (CVSS “critical” score of 9.9) - Pre-authentication buffer overflow in TLS
- CVE-2022-0715 (CVSS “high” score of 8.9) - Unsigned firmware deployment via the network or USB
What is the impact of TLStorm? #
Successful exploitation of these vulnerabilities can provide unauthenticated remote code execution to a remote attacker on vulnerable APC devices that are using the SmartConnect feature (which connects them to the cloud). This opens the door to attacks that could damage the UPS device itself, attacks that could damage devices connected to the UPS, and the attacker establishing a foothold on the private corporate network..
Is an update available? #
Armis coordinated with Schneider Electric on the publishing of TLStorm, and Schneider Electric encourages owners of affected APC Smart-UPS devices to update with available patched firmware. Armis offers additional mitigation techniques for improved safety (see “How can you secure your UPS devices?”).
How do I find potentially vulnerable APC assets with runZero? #
From the Asset Inventory, use the following pre-built query to locate APC assets within your network that are potentially vulnerable to TLStorm:
hw:apc AND protocol:tls

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.
Find APC Smart-UPS devices on your network
runZero deploys and bulds your asset inventory in minutes. Get results immediately.
Start a free trial

Pearce Barry is a Director of Security Research at runZero. Barry joined runZero in June 2021, working on the Metasploit Project the four years prior. Now, Pearce leads research efforts at runZero, which includes creating and improving fingerprints, adding to protocols, enhancing scanning logic, and writing queries.
Similar Content
September 26, 2023
How to find TeamCity instances
How to find TeamCity assets? # On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 …
Read MoreSeptember 12, 2023
How to find OpenSSL 1.1 instances
How to find OpenSSL 1.1 instances # On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. That means that it will no longer be receiving publicly-available security fixes. Users without a third-party extended support contract will no longer receive …
Read MoreJuly 31, 2023
How to find Ivanti EPMM (MobileIron Core)
How to find Ivanti Endpoint Manager Mobile (EPMM) with runZero # On July 24th, Ivanti announced that their Endpoint Manager Mobile (EPMM, formerly MobileIron Core) product versions 11.10 and prior contain a critical authentication bypass vulnerability. Successfully …
Read More