CVE-2022-42971
Published: 01 February 2023
Summary
CVE-2022-42971 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Microsoft Windows 11. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 14.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-42971 is a CWE-434 unrestricted file upload vulnerability affecting Schneider Electric Easy UPS Online Monitoring Software and the rebranded APC variant. The flaw resides in the web interface of versions prior to V2.5-GA, V2.5-GA-01-22261, V2.5-GS, and V2.5-GS-01-22261 running on Windows 7, 10, 11, and Windows Server 2016/2019/2022; it permits an unauthenticated remote attacker to upload files with arbitrary extensions, including malicious JSP payloads.
An attacker with network access to the monitoring web application can upload a crafted JSP file that is subsequently executed by the server, resulting in full remote code execution with the privileges of the application process. The CVSS 3.1 score of 9.8 reflects the absence of required authentication, user interaction, or special network conditions.
The vendor advisory SEVD-2022-347-01 directs customers to upgrade to the fixed releases listed above; no workarounds are documented in the notice.
EPSS for the CVE rose from a low baseline to a recorded peak of 0.0540 on 2025-12-11 before receding to the current value of 0.0258, indicating a measurable but ultimately limited increase in observed exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-46021
Vulnerability details
A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server…
more
2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261)
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.