Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload.
AnalysisAI
CRLF injection in Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior allows authenticated Web Admin users to reset application user credentials by manipulating the POST /setPCBEDesc request payload, achieving limited availability impact with CVSS 5.3 and confirmed actively exploited status (CISA KEV).
Technical ContextAI
PowerChute™ Serial Shutdown is a power management application developed by Schneider Electric. The vulnerability stems from improper neutralization of carriage return and line feed (CRLF) sequences in the /setPCBEDesc endpoint, a CWE-93 flaw commonly exploited to inject unintended control characters into protocol streams or backend processing logic. The affected product handles user credential management, and the CRLF injection allows an authenticated administrator to craft malicious payloads that manipulate the credential reset mechanism. This class of vulnerability typically bypasses input validation by embedding newline sequences that cause downstream parsers or handlers to interpret injected content as separate commands or data structures.
RemediationAI
Organizations should upgrade PowerChute™ Serial Shutdown to a version after 1.4; consult the Schneider Electric security advisory SEVD-2026-104-01 for the exact patched version number and download instructions. As an interim mitigation, restrict Web Admin user access to the /setPCBEDesc endpoint through network-level controls or application-level access controls, limiting POST requests to trusted administrative terminals only. Audit and rotate credentials for all Web Admin accounts to detect any unauthorized resets. Monitor application logs for suspicious POST requests to /setPCBEDesc containing CRLF sequences (%0d%0a or literal carriage return/line feed characters).
More in Powerchute Serial Shutdown
View allSchneider Electric PowerChute Serial Shutdown v1.4 and prior allows remote credential brute force attacks due to missing
Log injection via improper output encoding in Schneider Electric PowerChute™ Serial Shutdown allows unauthenticated remo
PowerChute Serial Shutdown allows authenticated administrative users to overwrite critical system files via path travers
Improper validation of input quantity in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows aut
Denial of service in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows authenticated Web Admin
Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior expose confidential information through log file i
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22284