Skip to main content

Powerchute Serial Shutdown CVE-2026-2403

| EUVDEUVD-2026-22290 MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-04-14 schneider GHSA-v2cv-5hx2-p7w9
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 17:04 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 16:00 euvd
EUVD-2026-22290
Analysis Generated
Apr 14, 2026 - 16:00 vuln.today
CVE Published
Apr 14, 2026 - 15:21 nvd
MEDIUM 5.3

DescriptionCVE.org

CWE-1284 Improper Validation of Specified Quantity in Input vulnerability exists that could cause Event and Data Log truncation impacting log integrity when a Web Admin user alters the POST /logsettings request payload.

AnalysisAI

Improper validation of input quantity in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows authenticated Web Admin users to truncate event and data logs via crafted POST /logsettings requests, compromising log integrity and audit trail reliability. The vulnerability requires valid admin credentials and network access but poses direct impact to forensic and compliance capabilities. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

The vulnerability stems from CWE-1284 (Improper Validation of Specified Quantity in Input), a weakness in input validation mechanisms that fail to properly restrict or validate the quantity of data accepted from user-controlled sources. In PowerChute Serial Shutdown, the affected component is the logsettings endpoint (POST /logsettings) which handles log configuration parameters. When a Web Admin user submits a modified payload with invalid quantity parameters, the application fails to properly validate the specified limits before processing them, allowing truncation or deletion of event and data logs. This weakness affects the log integrity trust boundary and impacts the ability to maintain complete audit trails for security investigations and compliance reporting.

RemediationAI

Schneider Electric has released a security advisory (SEVD-2026-104-01) available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf. Organizations must upgrade PowerChute Serial Shutdown beyond version 1.4 to a patched release when available from the vendor. In the interim, restrict Web Admin user access to the logsettings endpoint through network segmentation, firewall rules, or access controls; implement monitoring and alerting on POST /logsettings requests to detect suspicious payload modifications; enforce strong authentication and regular credential rotation for Web Admin accounts; and establish offline backup and archival of critical logs outside the PowerChute system to preserve audit trails. Consult the vendor advisory for specific patched version availability and deployment guidance.

Share

CVE-2026-2403 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy