Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
CWE-1284 Improper Validation of Specified Quantity in Input vulnerability exists that could cause Event and Data Log truncation impacting log integrity when a Web Admin user alters the POST /logsettings request payload.
AnalysisAI
Improper validation of input quantity in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows authenticated Web Admin users to truncate event and data logs via crafted POST /logsettings requests, compromising log integrity and audit trail reliability. The vulnerability requires valid admin credentials and network access but poses direct impact to forensic and compliance capabilities. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
The vulnerability stems from CWE-1284 (Improper Validation of Specified Quantity in Input), a weakness in input validation mechanisms that fail to properly restrict or validate the quantity of data accepted from user-controlled sources. In PowerChute Serial Shutdown, the affected component is the logsettings endpoint (POST /logsettings) which handles log configuration parameters. When a Web Admin user submits a modified payload with invalid quantity parameters, the application fails to properly validate the specified limits before processing them, allowing truncation or deletion of event and data logs. This weakness affects the log integrity trust boundary and impacts the ability to maintain complete audit trails for security investigations and compliance reporting.
RemediationAI
Schneider Electric has released a security advisory (SEVD-2026-104-01) available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf. Organizations must upgrade PowerChute Serial Shutdown beyond version 1.4 to a patched release when available from the vendor. In the interim, restrict Web Admin user access to the logsettings endpoint through network segmentation, firewall rules, or access controls; implement monitoring and alerting on POST /logsettings requests to detect suspicious payload modifications; enforce strong authentication and regular credential rotation for Web Admin accounts; and establish offline backup and archival of critical logs outside the PowerChute system to preserve audit trails. Consult the vendor advisory for specific patched version availability and deployment guidance.
More in Powerchute Serial Shutdown
View allSchneider Electric PowerChute Serial Shutdown v1.4 and prior allows remote credential brute force attacks due to missing
Log injection via improper output encoding in Schneider Electric PowerChute™ Serial Shutdown allows unauthenticated remo
PowerChute Serial Shutdown allows authenticated administrative users to overwrite critical system files via path travers
CRLF injection in Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior allows authenticated Web Admin u
Denial of service in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows authenticated Web Admin
Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior expose confidential information through log file i
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22290
GHSA-v2cv-5hx2-p7w9