Cyber Resilience

CVE-2022-42971

Critical

Published: 01 February 2023

Published
01 February 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0258 85.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-42971 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Microsoft Windows 11. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 14.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-42971 is a CWE-434 unrestricted file upload vulnerability affecting Schneider Electric Easy UPS Online Monitoring Software and the rebranded APC variant. The flaw resides in the web interface of versions prior to V2.5-GA, V2.5-GA-01-22261, V2.5-GS, and V2.5-GS-01-22261 running on Windows 7, 10, 11, and Windows Server 2016/2019/2022; it permits an unauthenticated remote attacker to upload files with arbitrary extensions, including malicious JSP payloads.

An attacker with network access to the monitoring web application can upload a crafted JSP file that is subsequently executed by the server, resulting in full remote code execution with the privileges of the application process. The CVSS 3.1 score of 9.8 reflects the absence of required authentication, user interaction, or special network conditions.

The vendor advisory SEVD-2022-347-01 directs customers to upgrade to the fixed releases listed above; no workarounds are documented in the notice.

EPSS for the CVE rose from a low baseline to a recorded peak of 0.0540 on 2025-12-11 before receding to the current value of 0.0258, indicating a measurable but ultimately limited increase in observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server…

more

2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

schneider-electric
apc easy ups online monitoring software
≤ 2.5-ga-01-22320 · ≤ 2.5-ga
schneider-electric
easy ups online monitoring software
≤ 2.5-gs-01-22320 · ≤ 2.5-gs

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References