Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on a sequence of requests to multiple endpoints.
AnalysisAI
Schneider Electric PowerChute Serial Shutdown v1.4 and prior allows remote credential brute force attacks due to missing rate limiting on authentication endpoints, enabling attackers to enumerate valid credentials across multiple API endpoints with no authentication prerequisite. The vulnerability has a CVSS score of 6.9 with network-based attack vector and no user interaction required, though the impact is limited to information disclosure rather than full account takeover.
Technical ContextAI
The vulnerability stems from a CWE-307 (Improper Restriction of Excessive Authentication Attempts) flaw in Schneider Electric PowerChute Serial Shutdown, a power management and shutdown utility. The affected product exposes multiple authentication endpoints over the network without implementing rate limiting, account lockout policies, or exponential backoff mechanisms. Attackers can submit unlimited authentication requests with varying credentials to these endpoints sequentially, allowing credential enumeration and brute-force attacks. The CVE-2026-2402 affects the product identified by CPE cpe:2.3:a:schneider_electric:powerchute™_serial_shutdown:*:*:*:*:*:*:*:*, and the root cause is inadequate authentication controls at the application layer.
RemediationAI
Upgrade Schneider Electric PowerChute Serial Shutdown to a version later than v1.4, as specified in vendor advisory SEVD-2026-104-01. If immediate upgrade is not feasible, implement network-level controls such as IP rate limiting, Web Application Firewall (WAF) rules to throttle authentication requests per source IP, and account lockout policies (e.g., disable accounts after 5 failed attempts with a 30-minute cooldown). Monitor authentication logs for repeated failed attempts across endpoints. Refer to the official security advisory at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf for vendor-specific patched versions and additional hardening recommendations.
More in Powerchute Serial Shutdown
View allLog injection via improper output encoding in Schneider Electric PowerChute™ Serial Shutdown allows unauthenticated remo
PowerChute Serial Shutdown allows authenticated administrative users to overwrite critical system files via path travers
Improper validation of input quantity in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows aut
CRLF injection in Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior allows authenticated Web Admin u
Denial of service in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows authenticated Web Admin
Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior expose confidential information through log file i
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22288