Skip to main content

Powerchute Serial Shutdown CVE-2026-2400

| EUVDEUVD-2026-22284 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-04-14 schneider
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 17:04 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 16:00 euvd
EUVD-2026-22284
Analysis Generated
Apr 14, 2026 - 16:00 vuln.today
CVE Published
Apr 14, 2026 - 15:22 nvd
MEDIUM 5.3

DescriptionCVE.org

CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload.

AnalysisAI

CRLF injection in Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior allows authenticated Web Admin users to reset application user credentials by manipulating the POST /setPCBEDesc request payload, achieving limited availability impact with CVSS 5.3 and confirmed actively exploited status (CISA KEV).

Technical ContextAI

PowerChute™ Serial Shutdown is a power management application developed by Schneider Electric. The vulnerability stems from improper neutralization of carriage return and line feed (CRLF) sequences in the /setPCBEDesc endpoint, a CWE-93 flaw commonly exploited to inject unintended control characters into protocol streams or backend processing logic. The affected product handles user credential management, and the CRLF injection allows an authenticated administrator to craft malicious payloads that manipulate the credential reset mechanism. This class of vulnerability typically bypasses input validation by embedding newline sequences that cause downstream parsers or handlers to interpret injected content as separate commands or data structures.

RemediationAI

Organizations should upgrade PowerChute™ Serial Shutdown to a version after 1.4; consult the Schneider Electric security advisory SEVD-2026-104-01 for the exact patched version number and download instructions. As an interim mitigation, restrict Web Admin user access to the /setPCBEDesc endpoint through network-level controls or application-level access controls, limiting POST requests to trusted administrative terminals only. Audit and rotate credentials for all Web Admin accounts to detect any unauthorized resets. Monitor application logs for suspicious POST requests to /setPCBEDesc containing CRLF sequences (%0d%0a or literal carriage return/line feed characters).

Share

CVE-2026-2400 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy