Multiple Vulnerabilities in Schneider Electric PowerChute Serial Shutdown
Multiple vulnerabilities, including CVE-2026-2399, CVE-2026-2404, CVE-2026-2405, CVE-2026-2403, CVE-2026-2400, and CVE-2026-2401, in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior could allow attackers with adjacent network access and high privileges to overwrite critical system files via path traversal, forge or inject malicious log data, gain unauthorized account access through excessive authentication attempts, trigger denial-of-service conditions, or expose sensitive information.
CISA has issued an advisory regarding multiple vulnerabilities affecting Schneider Electric PowerChute Serial Shutdown software, versions 1.4 and prior. These vulnerabilities, including CVE-2026-2399 (Path Traversal), CVE-2026-2404 (Improper Output Encoding), CVE-2026-2405 (Excessive Authentication Attempts), CVE-2026-2403 (Uncontrolled Resource Consumption), CVE-2026-2400 (Improper Input Validation), and CVE-2026-2401 (CRLF Injection and Sensitive Information in Log), pose significant risks. Successful exploitation could lead to critical system file overwrites, log data manipulation, unauthorized account access, denial-of-service, and sensitive information exposure. The affected software is deployed globally across critical infrastructure sectors such as Communications, Critical Manufacturing, Energy, Healthcare, Information Technology, and Transportation Systems. While no active exploitation has been reported, the potential impact on critical operations necessitates immediate attention from defenders.
Attack Chain
- An attacker gains adjacent network access to the host running Schneider Electric PowerChute Serial Shutdown (implied by CVSS AV:A).
- The attacker acquires high-privilege credentials for the PowerChute application (implied by CVSS PR:H).
- Leveraging CVE-2026-2399, the attacker crafts a malicious input string containing path traversal sequences (e.g.,
../../) targeting PowerChute's file handling functions. - The crafted input is submitted through an authenticated interface, leading to the overwrite of critical system files or unauthorized file creation.
- Through CVE-2026-2404 and CVE-2026-2401, the attacker injects malformed data into a PowerChute input field to exploit improper output encoding or CRLF injection.
- This causes PowerChute to log the crafted data, potentially leading to log file poisoning, tampering, or injection of malicious content.
- Exploiting CVE-2026-2403 or CVE-2026-2400, the attacker triggers conditions that lead to uncontrolled resource consumption or malformed input processing, causing a denial-of-service (DoS) on the PowerChute application.
- The attacker attempts to reset user credentials by repeatedly triggering authentication attempts (CVE-2026-2405) or exfiltrates sensitive information exposed in manipulated log files (CVE-2026-2401).
Impact
The successful exploitation of these vulnerabilities could have severe consequences for organizations relying on Schneider Electric PowerChute Serial Shutdown. Attackers could gain unauthorized control over critical system files, leading to system instability, data corruption, or even complete system compromise. Log data manipulation could hinder forensic analysis and incident response efforts, while denial-of-service attacks could disrupt critical operations, particularly in sectors like Energy and Manufacturing where PowerChute manages UPS systems. Exposure of sensitive information could lead to further compromise or compliance violations. The vulnerabilities affect systems worldwide, making the potential for widespread disruption significant if not patched.
Recommendation
- Immediately update Schneider Electric PowerChute Serial Shutdown to version 1.5 or later to address CVE-2026-2399, CVE-2026-2404, CVE-2026-2405, CVE-2026-2403, CVE-2026-2400, and CVE-2026-2401.
- Review the Schneider Electric Security Handbook referenced in the advisory (https://download.schneider-electric.com/files?p_Doc_Ref=SPD_CCON-PCSSSH_EN) for specific hardening guidelines and mitigation strategies applicable to your environment.
- Ensure proper network segmentation to limit adjacent network access to PowerChute Serial Shutdown installations, as specified by the CVSS vector (AV:A).
- Implement strong authentication policies and monitor for excessive authentication attempts, which could indicate exploitation of CVE-2026-2405.