GHSA-2j49-hp6r-vx83
GHSA-9h8m-3fm2-qjrq
GHSA-q728-gf8j-w49r
GHSA-vhw5-3g5m-8ggf
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /helpabout requests.
AnalysisAI
Denial of service in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows authenticated Web Admin users to trigger uncontrolled resource consumption by flooding the system with POST requests to the /helpabout endpoint, causing excessive troubleshooting zip file creation and service degradation. Attack requires valid admin credentials and network access to the web interface; CVSS 5.3 reflects low availability impact with no confidentiality or integrity compromise.
Technical ContextAI
The vulnerability stems from insufficient resource consumption controls (CWE-400) in the web administration interface of PowerChute Serial Shutdown. When a user with Web Admin privileges submits repeated POST requests to the /helpabout endpoint, the application generates troubleshooting zip files without rate limiting or quotas. This uncontrolled file creation exhausts disk space and processing resources, degrading or denying availability of the service. The affected product is Schneider Electric PowerChute Serial Shutdown, a Uninterruptible Power Supply (UPS) management solution commonly deployed in critical infrastructure environments.
RemediationAI
Upgrade Schneider Electric PowerChute Serial Shutdown to a version after 1.4 (exact patched version not specified in available data; consult vendor release notes for confirmation). As an interim measure, restrict network access to the web administration interface to trusted IP ranges and implement Web Admin account governance to limit credential exposure and reduce the risk of internal compromise. Monitor disk usage and system resource consumption for abnormal patterns indicative of troubleshooting zip file flooding. Refer to Schneider Electric advisory SEVD-2026-104-01 for additional mitigation details.
More in Powerchute Serial Shutdown
View allSchneider Electric PowerChute Serial Shutdown v1.4 and prior allows remote credential brute force attacks due to missing
Log injection via improper output encoding in Schneider Electric PowerChute™ Serial Shutdown allows unauthenticated remo
PowerChute Serial Shutdown allows authenticated administrative users to overwrite critical system files via path travers
Improper validation of input quantity in Schneider Electric PowerChute Serial Shutdown versions 1.4 and prior allows aut
CRLF injection in Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior allows authenticated Web Admin u
Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior expose confidential information through log file i
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22293