Skip to main content

Powerchute Serial Shutdown CVE-2026-2402

| EUVDEUVD-2026-22288 MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-04-14 schneider
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 17:04 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 16:00 euvd
EUVD-2026-22288
Analysis Generated
Apr 14, 2026 - 16:00 vuln.today
CVE Published
Apr 14, 2026 - 15:16 nvd
MEDIUM 6.9

DescriptionCVE.org

CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on a sequence of requests to multiple endpoints.

AnalysisAI

Schneider Electric PowerChute Serial Shutdown v1.4 and prior allows remote credential brute force attacks due to missing rate limiting on authentication endpoints, enabling attackers to enumerate valid credentials across multiple API endpoints with no authentication prerequisite. The vulnerability has a CVSS score of 6.9 with network-based attack vector and no user interaction required, though the impact is limited to information disclosure rather than full account takeover.

Technical ContextAI

The vulnerability stems from a CWE-307 (Improper Restriction of Excessive Authentication Attempts) flaw in Schneider Electric PowerChute Serial Shutdown, a power management and shutdown utility. The affected product exposes multiple authentication endpoints over the network without implementing rate limiting, account lockout policies, or exponential backoff mechanisms. Attackers can submit unlimited authentication requests with varying credentials to these endpoints sequentially, allowing credential enumeration and brute-force attacks. The CVE-2026-2402 affects the product identified by CPE cpe:2.3:a:schneider_electric:powerchute™_serial_shutdown:*:*:*:*:*:*:*:*, and the root cause is inadequate authentication controls at the application layer.

RemediationAI

Upgrade Schneider Electric PowerChute Serial Shutdown to a version later than v1.4, as specified in vendor advisory SEVD-2026-104-01. If immediate upgrade is not feasible, implement network-level controls such as IP rate limiting, Web Application Firewall (WAF) rules to throttle authentication requests per source IP, and account lockout policies (e.g., disable accounts after 5 failed attempts with a 30-minute cooldown). Monitor authentication logs for repeated failed attempts across endpoints. Refer to the official security advisory at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf for vendor-specific patched versions and additional hardening recommendations.

Share

CVE-2026-2402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy