There's many safer ways to let a mostly untrusted process run shutdown. Like a sudo setup letting the UPS user only run shutdown. Or /etc/shutdown.allow. Or something using CAP_SYS_BOOT. systemd might have a solution too. I get the impression I just spent more time thinking about this writing my response to you than the APC folks ever did.
Yes, I am afraid my UPS will hack me. More specifically I'm afraid this badly written closed source software will have some security hole that can be used to escalate to root.
Afraid your ups will hack you?