Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause critical files overwritten with text data when a Web Admin user alters the POST /REST/upssleep request payload.
AnalysisAI
PowerChute Serial Shutdown allows authenticated administrative users to overwrite critical system files via path traversal in the POST /REST/upssleep endpoint when maliciously crafting request payloads, potentially causing complete system compromise or denial of service. The vulnerability requires high-privilege Web Admin credentials and adjacent network access, but results in total integrity and availability impact across the affected system. No public exploit code has been identified at the time of analysis.
Technical ContextAI
The vulnerability is a classic CWE-22 path traversal flaw in a REST API endpoint that processes user-supplied file path parameters without proper validation or sanitization. PowerChute Serial Shutdown, a Schneider Electric UPS management application, fails to restrict directory access when parsing the POST /REST/upssleep request payload, allowing an authenticated administrator to traverse the filesystem using relative path sequences (such as '../') to write data outside intended directories. This flaw exists in the web administration interface and affects the application's ability to enforce pathname restrictions, a critical control in multi-user or high-security deployments where administrative credentials may be compromised or misused.
RemediationAI
Schneider Electric has released a security notice (SEVD-2026-104-01) available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf; users must download this document to identify the patched version and upgrade timeline. In the interim, restrict network access to the PowerChute Serial Shutdown web administration interface using firewall rules to allow only trusted administrative hosts, limit Web Admin user accounts to only those who require them, and monitor for unusual POST /REST/upssleep requests with path traversal sequences (../ or ..\) in request logs.
More in Powerchute Serial Shutdown
View allSchneider Electric PowerChute Serial Shutdown v1.4 and prior allows remote credential brute force attacks due to missing
Log injection via improper output encoding in Schneider Electric PowerChute™ Serial Shutdown allows unauthenticated remo
Improper validation of input quantity in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows aut
CRLF injection in Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior allows authenticated Web Admin u
Denial of service in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows authenticated Web Admin
Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior expose confidential information through log file i
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22282
GHSA-4v7v-7v7r-3r5h