Critical SSH Flaw in Schneider Electric UPS Devices Risks Power Grid Security

A critical vulnerability has sent ripples through the global industrial cybersecurity community: all versions of Schneider Electric’s Galaxy VS, Galaxy VL, and Galaxy VXL uninterruptible power supplies (UPS), widely used to protect critical infrastructure, are exposed to a remotely exploitable security flaw that earns the highest possible Common Vulnerability Scoring System (CVSS) rating—10.0. With no authentication required and low attack complexity, this CVE-2025-32433 vulnerability allows unauthenticated remote code execution (RCE) and poses an immediate, severe threat to power resilience across sectors ranging from energy grids to manufacturing plants and commercial facilities.

Understanding the Scope: What’s at Risk?​

Schneider Electric and Its Galaxy Series UPS​

Schneider Electric, a multinational energy and automation giant headquartered in France, is noted for its robust uninterruptible power supply systems. The Galaxy VS, Galaxy VL, and Galaxy VXL product lines are installed in data centers, industrial facilities, utility substations, and other mission-critical environments around the world. These UPS units maintain power and protect expensive equipment during outages or electrical anomalies, making their integrity paramount for continuous operations.
Galaxy VS/VL/VXL units rely heavily on embedded software and remote management capabilities. These features, prized for reducing on-site intervention, have also unfortunately increased the attack surface—now a familiar story across the Industrial Control Systems (ICS) landscape.

The Nature of the Vulnerability: Technical Reality​

Anatomy of CVE-2025-32433​

At the heart of this issue is a missing authentication for critical function (CWE-306) within the system’s SSH (Secure Shell) handling. The affected component is built on the Erlang/OTP stack—an established, high-performance environment for scalable applications. The vulnerability is rooted in how certain versions of Erlang/OTP (prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20) handle SSH protocol messages.
If left unpatched, this flaw allows a remote attacker—without possessing any credentials—to execute arbitrary commands on a vulnerable UPS. The nature of code execution is platform-level, with potential for the attacker to take full control: change device parameters, disable power regulation, or even shut down backup power functions entirely. In the context of critical infrastructure, such control could translate to interrupted power for thousands, costly downtime, or opportunities for cascading failures across interconnected systems.
The assigned CVSS v3.1 base score of 10.0 reflects the worst-case combination: vector string AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. This translates as follows:

• Attack Vector (AV): Network
• Attack Complexity (AC): Low
• Privileges Required (PR): None
• User Interaction (UI): None
• Scope (S): Changed
• Confidentiality/Integrity/Availability Impact (C/I/A): High

In practice, the exploit can be automated, is effective over standard networks, and requires minimal expertise—a trifecta for adversaries.

Product Versions Affected​

Schneider Electric has confirmed all versions of Galaxy VS, Galaxy VL, and Galaxy VXL products are affected. This blanket exposure is notable given the extensive installed base and prolonged operational lifespans of industrial UPS devices. These units are widely deployed and often run for years—even decades—without hardware refresh.

The Technical Root: Erlang/OTP SSH Server Flaw​

The technical root cause is a flaw in SSH protocol message handling. When an attacker communicates with the embedded SSH server component running on these UPS units, they can bypass authentication entirely under specific conditions. The vulnerability is not exclusive to these models—other embedded products using affected Erlang/OTP versions could, hypothetically, also be at risk. However, no broader exploitation has been publicly documented to date.
Patched Erlang/OTP versions (OTP-27.3.3, OTP-26.2.5.11, OTP-25.3.2.20) resolve the flaw, but at the time of writing, no firmware update is yet available to bring these UPS models to safety.

Exploitation Potential: The Real-World Risks​

Why the CVSS 10.0 Matters​

A CVSS 10.0 rating is not common; it signifies “critical” in every respect. The low attack complexity, no-credentials-needed scenario means unattended or internet-exposed UPS units are ripe for compromise by threat actors ranging from cybercriminals to nation-state adversaries.
Shutdown or manipulation of power equipment can result in:

• Business interruption: Loss of power during a critical window could halt production lines, disrupt healthcare services, or bring data centers offline, incurring significant losses.
• Equipment damage: Malicious control of UPS parameters could trigger electrical transients or improper shutdown—a risk for sensitive computing or medical equipment.
• Supply chain attacks: A compromised UPS can serve as a beachhead for lateral movement into more sensitive network segments.

While there is no public evidence yet of active exploitation, the ready availability of technical details—and typical lag in patching industrial devices—makes proactive defense urgent.

Critical Infrastructure Exposure​

ICS/SCADA equipment, including power backup units, often bridges operational (OT) and corporate (IT) networks. Insecure configurations or insufficient segmentation can expose these devices to the broader internet, where they become discoverable (and attackable) using tools like Shodan. Past incidents (such as the infamous Mirai botnet and ransomware attacks on critical infrastructure) illustrate how adversaries pivot from peripheral devices to high-value assets.

Schneider Electric’s Response and Immediate Remediation Steps​

Official Mitigations Published​

Schneider Electric has moved swiftly to acknowledge the issue, reporting it to CISA and publishing detailed mitigation guidance. However, with a firmware update still pending, risk owners cannot rely solely on vendor patches.
Current mitigation recommendations:

• Disable SSH/SFTP/SCP access: Immediately log into the device’s web interface, navigate to Configuration → Network → Console → Access, and uncheck the “enable SSH/SFTP/SCP” option. Apply changes.
• Network segmentation and firewalling: Restrict all access to SSH port 22/TCP through strict firewall rules. Only allow trusted, internal networks—never expose management interfaces to the open internet.
• Consult official security resources: Schneider Electric recommends reviewing the Network Management Card 4 Security Handbook for further locking down access.
• Monitor for updates: Subscribe to Schneider Electric’s security notification service to receive updates on remediation firmware availability.
• Contact manufacturer support: Obtain direct assistance as needed via Schneider’s support portal.

Industry-Standard Cybersecurity Best Practices​

In line with guidance from both Schneider Electric and CISA, organizations should:

• Place industrial devices behind dedicated firewalls and segment from business-critical IT assets.
• Physically secure all controllers and management workstations.
• Never leave programmable logic controllers (PLCs) or UPS management interfaces in programming or maintenance modes longer than necessary.
• Strictly control use of external media (USB drives, CDs) on sensitive networks; verify all before use.
• For remote access, deploy rigorously configured, up-to-date VPNs—and ensure remote endpoints are equally secure.

CISA adds several vital recommendations:

• Conduct thorough risk analyses before deploying or updating security controls.
• Never connect programming software or consoles to unintended network segments.
• Routinely monitor for signs of social engineering, phishing, or abnormal remote access attempts.

For more details on hardening industrial systems against cyberattack, organizations can consult CISA’s resources on ICS recommended practices and defense-in-depth.

Critical Analysis: What Makes This Vulnerability So Dangerous?​

Notable Strengths in Vendor Response​

Schneider Electric’s public acknowledgement and coordination with CISA is a positive indicator of mature vulnerability disclosure practices. Early transparency and clear, actionable advisories empower asset owners to take immediate, risk-reducing steps—even while waiting for permanent fixes.
Furthermore, providing granular guidance (rather than generic “contact support” advice) enables even those with limited cybersecurity resources to address the most pressing risks. The reference to industry-standard hardening (network segmentation, minimal exposure, locking cabinets, etc.) shows an alignment with leading ICS/OT security frameworks.

Weaknesses and Ongoing Risks​

Despite these strengths, several factors make the situation unusually hazardous:

• Breadth of exposure: All current versions of three major UPS product lines are affected—a potentially massive global footprint. Industrial UPS devices are critical for continuous operation and can be difficult to remove or service on short notice.
• Slow patch cycles: Updates for embedded, industrial devices (especially in regulated environments) often lag behind those for traditional IT equipment due to the need for qualification, safety testing, and business continuity concerns.
• Long operational lifespans: Unlike consumer devices, industrial UPS systems often remain in place for many years—sometimes decades—suggesting some units may never see updates without active intervention.

Technical Risk Factors​

• Authentication failure at a critical boundary: The SSH service is foundational for secure remote management. A total authentication bypass erases almost all lines of defense on the management interface. If attackers reach port 22, compromise is trivial.
• Potential for chained attacks: Should future research reveal similar flaws in nearby systems, attackers may chain vulnerabilities, amplifying impact.
• Discovery and exploitation automation: Tools to identify exposed devices (such as Shodan, Censys) combined with automated exploits reduce barrier to entry for malicious actors. Even script kiddies can potentially exploit this flaw once a proof-of-concept is published.

Recommendations for Asset Owners​

Immediate Defensive Actions​

• Disable SSH immediately if not essential to business continuity. For rare exceptions, restrict access to a dedicated, physically isolated management network.
• Audit device inventories to locate all at-risk Galaxy VS/VL/VXL deployments, prioritizing internet-facing and OT/IT boundary assets.
• Enforce network segmentation: Use VLANs, firewalls, and access control lists (ACLs) to prevent lateral movement.
• Implement monitoring for anomalies: Log all connection attempts to management ports and alert on failed or unexpected SSH events.

Long-Term Strategies​

• Adopt a “security by design” posture: Emphasize procurement and deployment of devices with long-term support, rapid patchability, and demonstrable secure development lifecycles.
• Establish incident response plans: Prepare for worst-case scenarios—a compromise of power equipment should be included in tabletop exercises and disaster recovery planning.
• Partner with vendors early: Participate in security alerting, feedback, and remediation cycles to accelerate patch delivery and validation in your environment.

Broader Implications for Industrial Cybersecurity​

This vulnerability serves as a potent reminder of a persistent dilemma in operational technology: optimizing for availability and remote manageability can expose critical systems to serious cyber risk. Despite robust industry awareness, the design and procurement of embedded devices still lags behind IT in terms of secure defaults and life-cycle patch management.
The industrial sector—especially energy, manufacturing, and data centers—should take this opportunity to reassess risk profiles associated with management interfaces. Password protections, firewalls, and physical security must be layered, but modern threats demand defense-in-depth that presumes, and can contain, a breach even on trusted networks.

Conclusion: Heightened Vigilance Is the Only Cure Until Patching Arrives​

Schneider Electric’s Galaxy VS, Galaxy VL, and Galaxy VXL UPS devices have for years been trusted pillars of industrial reliability. Now, a severe, remotely exploitable authentication flaw threatens to undermine that trust unless swift action is taken.
Key takeaways:

• Every organization with these devices must act now—disable SSH/SFTP/SCP services and ensure strict network segmentation.
• Monitor vendor advisories for the promised firmware update; implement the patch as soon as it becomes available.
• Rigorously follow ICS/OT hardening principles, as laid out by both Schneider Electric and CISA.
• Treat all management interfaces as high-value cyber targets—because attackers already do.

The discovery and responsible disclosure of this vulnerability highlights once again that cybersecurity is not a one-time task but an ongoing process woven into the lifeblood of industrial operations. Those who respond decisively will mitigate immediate risk and be better prepared for whatever threats tomorrow may bring. As always in the world of critical infrastructure, vigilance and adaptability are the best guarantees of resilience.

---

Source: CISA Schneider Electric Galaxy VS, Galaxy VL, Galaxy VXL | CISA