Schneider Electric PowerChute Serial Shutdown
Schneider Electric PowerChute Serial Shutdown vulnerable to multiple critical flaws.
Summary
Schneider Electric's PowerChute Serial Shutdown software, versions 1.4 and prior, contains multiple vulnerabilities including path traversal, improper output encoding, excessive authentication attempts, uncontrolled resource consumption, improper input validation, CRLF injection, and sensitive information logging. Successful exploitation could lead to file overwrites, unauthorized access, denial-of-service, and data exposure. A fix is available in version 1.5.
Full text
ICS Advisory Schneider Electric PowerChute Serial Shutdown Release DateJuly 09, 2026 Alert CodeICSA-26-190-02 Related topics: Industrial Control System Vulnerabilities , Industrial Control Systems View CSAF Summary Successful exploitation of these vulnerabilities could allow attackers to overwrite critical files, forge or inject malicious log data, gain unauthorized account access, trigger denial‑of‑service conditions, truncate or alter logging information, reset user credentials, or expose sensitive information. The following versions of Schneider Electric PowerChute Serial Shutdown are affected: PowerChute Serial Shutdown <=1.4 CVSS Vendor Equipment Vulnerabilities v3 6.1 SuSE, Schneider Electric, Red Hat, Microsoft Schneider Electric PowerChute Serial Shutdown Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Encoding or Escaping of Output, Improper Restriction of Excessive Authentication Attempts, Uncontrolled Resource Consumption, Improper Validation of Specified Quantity in Input, Improper Neutralization of CRLF Sequences ('CRLF Injection'), Insertion of Sensitive Information into Log File Background Critical Infrastructure Sectors: Communications, Critical Manufacturing, Energy, Healthcare and Public Health, Information Technology, Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: France Vulnerabilities Expand All + CVE-2026-2399 PowerChute is vulnerable to improper restriction of file paths, which could allow critical system files to be overwritten with unintended data. View CVE Details Affected Products Schneider Electric PowerChute Serial Shutdown Vendor:SuSE, Schneider Electric, Red Hat, Microsoft Product Version:SuSE, Schneider Electric, Red Hat, Microsoft PowerChute Serial Shutdown: <=1.4 Product Status:known_affected Remediations Vendor fixSuSE, Schneider Electric, Red Hat, and Microsoft have identified the following specific workarounds and mitigations users can apply to reduce risk: (CVE-2026-2399, CVE-2026-2404, CVE-2026-2405, CVE-2026-2403, CVE-2026-2400, CVE-2026-2401) PowerChute Serial Shutdown Versions 1.4 and prior: Version 1.5 of PowerChute Serial Shutdown includes a fix for this vulnerability and is available for download here: Windows (https://www.se.com/ww/en/download/document/SPD-PCSS_WIN_EN/). Linux (https://www.se.com/ww/en/download/document/SPD-PCSS_LNX_EN/).https://www.se.com/ww/en/download/document/SPD-PCSS_WIN_EN/ Vendor fixSuSE, Schneider Electric, Red Hat, and Microsoft have identified the following specific workarounds and mitigations users can apply to reduce risk: (CVE-2026-2399, CVE-2026-2404, CVE-2026-2405, CVE-2026-2403, CVE-2026-2400, CVE-2026-2401) PowerChute Serial Shutdown Versions 1.4 and prior: Version 1.5 of PowerChute Serial Shutdown includes a fix for this vulnerability and is available for download here: Windows (https://www.se.com/ww/en/download/document/SPD-PCSS_WIN_EN/). Linux (https://www.se.com/ww/en/download/document/SPD-PCSS_LNX_EN/).https://www.se.com/ww/en/download/document/SPD-PCSS_LNX_EN/ MitigationSpecific instructions and hardening guidelines for these mitigations can be found in the Security Handbook.https://download.schneider-electric.com/files?p_Doc_Ref=SPD_CCON-PCSSSH_EN Vendor fixThe following product versions have been fixed: PowerChute Serial Shutdown Version 1.5 installed on Microsoft Windows are fixed versions for CVE-2026-2399. Vendor fixPowerChute Serial Shutdown Version 1.5 installed on Red Hat Enterprise Linux are fixed versions for CVE-2026-2399. Vendor fixPowerChute Serial Shutdown Version 1.5 installed on SuSE Linux are fixed versions for CVE-2026-2399. Vendor fixFor more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-104-01 Multiple Vulnerabilities on PowerChute Serial Shutdown - SEVD-2026-104-01 PDF Version (https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf). Multiple Vulnerabilities on PowerChute Serial Shutdown- SEVD-2026-104-01 CSAF Version (https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-104-01.json).https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf Vendor fixFor more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-104-01 Multiple Vulnerabilities on PowerChute Serial Shutdown - SEVD-2026-104-01 PDF Version (https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf). Multiple Vulnerabilities on PowerChute Serial Shutdown- SEVD-2026-104-01 CSAF Version (https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-104-01.json).https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2026-104-01.json Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H 4.0 6.9 MEDIUM CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2026-2404 PowerChute is vulnerable to improper output encoding, which may allow crafted input to be reflected in log files in unexpected ways. View CVE Details Affected Products Schneider Electric PowerChute Serial Shutdown Vendor:SuSE, Schneider Electric, Red Hat, Microsoft Product Version:SuSE, Schneider Electric, Red Hat, Microsoft PowerChute Serial Shutdown: <=1.4 Product Status:known_affected Remediations Vendor fixSuSE, Schneider Electric, Red Hat, and Microsoft have identified the following specific workarounds and mitigations users can apply to reduce risk: (CVE-2026-2399, CVE-2026-2404, CVE-2026-2405, CVE-2026-2403, CVE-2026-2400, CVE-2026-2401) PowerChute Serial Shutdown Versions 1.4 and prior: Version 1.5 of PowerChute Serial Shutdown includes a fix for this vulnerability and is available for download here: Windows (https://www.se.com/ww/en/download/document/SPD-PCSS_WIN_EN/). Linux (https://www.se.com/ww/en/download/document/SPD-PCSS_LNX_EN/).https://www.se.com/ww/en/download/document/SPD-PCSS_WIN_EN/ Vendor fixSuSE, Schneider Electric, Red Hat, and Microsoft have identified the following specific workarounds and mitigations users can apply to reduce risk: (CVE-2026-2399, CVE-2026-2404, CVE-2026-2405, CVE-2026-2403, CVE-2026-2400, CVE-2026-2401) PowerChute Serial Shutdown Versions 1.4 and prior: Version 1.5 of PowerChute Serial Shutdown includes a fix for this vulnerability and is available for download here: Windows (https://www.se.com/ww/en/download/document/SPD-PCSS_WIN_EN/). Linux (https://www.se.com/ww/en/download/document/SPD-PCSS_LNX_EN/).https://www.se.com/ww/en/download/document/SPD-PCSS_LNX_EN/ MitigationSpecific instructions and hardening guidelines for these mitigations can be found in the Security Handbook.https://download.schneider-electric.com/files?p_Doc_Ref=SPD_CCON-PCSSSH_EN Vendor fixPowerChute Serial Shutdown Version 1.5 installed on Microsoft Windows are fixed versions for CVE-2026-2404. Vendor fixPowerChute Serial Shutdown Version 1.5 installed on Red Hat Enterprise Linux are fixed versions for CVE-2026-2404. Vendor fixPowerChute Serial Shutdown Version 1.5 installed on SuSE Linux are fixed versions for CVE-2026-2404. Vendor fixFor more information see the associated Schneider Electric CPCERT security advisory SEVD-2026-104-01 Multiple Vulnerabilities on PowerChute Serial Shutdown - SEVD-2026-104-01 PDF Version (https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf). Multiple Vulnerabilities on PowerChu
Indicators of Compromise
- cve — CVE-2026-2399
- cve — CVE-2026-2404
- cve — CVE-2026-2402
- cve — CVE-2026-2405
- cve — CVE-2026-2403
- cve — CVE-2026-2400
- cve — CVE-2026-2401