There's many safer ways to let a mostly untrusted process run shutdown. Like a sudo setup letting the UPS user only run shutdown. Or /etc/shutdown.allow. Or something using CAP_SYS_BOOT. systemd might have a solution too. I get the impression I just spent more time thinking about this writing my response to you than the APC folks ever did.

Yes, I am afraid my UPS will hack me. More specifically I'm afraid this badly written closed source software will have some security hole that can be used to escalate to root.