Skip to main content

Powerchute Serial Shutdown CVE-2026-2401

| EUVDEUVD-2026-22286 LOW
Insertion of Sensitive Information into Log File (CWE-532)
2026-04-14 schneider
2.4
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.4 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 17:04 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 16:00 euvd
EUVD-2026-22286
Analysis Generated
Apr 14, 2026 - 16:00 vuln.today
CVE Published
Apr 14, 2026 - 15:24 nvd
LOW 2.4

DescriptionCVE.org

CWE-532 Insertion of Sensitive Information into Log File vulnerability exists that could cause confidential information to be exposed when a Web Admin user executes a malicious file provided by an attacker.

AnalysisAI

Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior expose confidential information through log file insertion when a Web Admin user executes a malicious file supplied by an attacker. The vulnerability (CWE-532) results in low confidentiality impact with local access required and user interaction; no public exploit code or active exploitation has been identified, and the overall CVSS score of 2.4 reflects limited real-world risk despite information disclosure classification.

Technical ContextAI

CWE-532 (Insertion of Sensitive Information into Log File) describes a flaw where sensitive data is written to log files without proper filtering or sanitization. In PowerChute™ Serial Shutdown, the vulnerability occurs when a Web Admin user processes a malicious file crafted by an attacker; the application's logging mechanism fails to strip or obfuscate sensitive information before writing it to logs. This allows an attacker with local system access and who can trick an authenticated administrator into opening a malicious file to view confidential data that would normally be protected. The affected product (CPE: cpe:2.3:a:schneider_electric:powerchute™_serial_shutdown:*:*:*:*:*:*:*:*) is a shutdown management utility typically deployed in industrial and data center environments where log files may be accessible to multiple users with varying privilege levels.

RemediationAI

Upgrade PowerChute™ Serial Shutdown to a version later than 1.4; exact patched version numbers are not specified in the available advisory references, so consult Schneider Electric's SEVD-2026-104-01 security notice for the specific fixed release. As an interim mitigation, restrict access to application log files through operating system file permissions to authenticated users with a legitimate need, and educate Web Admin users to avoid executing files from untrusted sources. Refer to Schneider Electric's official security advisory at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf for complete remediation details.

Share

CVE-2026-2401 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy